DSfW: How To recreate a Domain Admins group

  • 7014834
  • 01-Apr-2014
  • 01-Apr-2014

Environment

Novell Open Enterprise Server 11 SP2 (OES11SP2)
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Domain Services for Windows
DSFW

Situation

The Domain Admins group was accidentally deleted.  How do I recreate the Domain Admins group?

Resolution

The object should not be created with iManager or MMC because the objectSid must be a specific value.  Instead use the /var/opt/novell/xad/ds/domain/domain.ldif located on the first DSfW server installed.
Copy and paste the section regarding the Domain Admins group

Example:
dn: CN=Domain Admins,CN=Users,o=novell
cn: Domain Admins
description: Domain administrators
groupType: -2147483646
isCriticalSystemObject: TRUE
objectClass: Group
objectClass: posixGroup
objectClass: uamPosixGroup
objectSid:: AQUAAAAAAAUVAAAAKXX4WLYkAAwXm+MRAAIAAA==
samAccountName: Domain Admins
samAccountType: 268435456
gidNumber: 1049088

Save to a file on the DSfW server, example domainAdmins.ldif

Apply the setting using ldapadd with the EXTERNAL method.  First export the LDAPCONF then use ldapadd
export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
/usr/bin/ldapadd -Y EXTERNAL -f domainAdmins.ldif

Next apply the correct ACLs for the Domain Admins group. 
The ACLs can be found in /var/opt/novell/xad/ds/domain/nds-domain.ldif or you can take the list below and correct the dn and the context.  Change from o=novell to your context.  Save to a file.  In this example we will call it domainAdminsAcl.ldif

dn: o=novell
changetype: modify
add: ACL
ACL: 4#subtree#CN=Domain Admins,CN=Users,o=novell#dBCSPwd
ACL: 4#subtree#CN=Domain Admins,CN=Users,o=novell#unicodePwd
ACL: 4#subtree#CN=Domain Admins,CN=Users,o=novell#supplementalCredentials
ACL: 4#subtree#CN=Domain Admins,CN=Users,o=novell#currentValue
ACL: 4#subtree#CN=Domain Admins,CN=Users,o=novell#priorValue
ACL: 4#subtree#CN=Domain Admins,CN=Users,o=novell#initialAuthIncoming
ACL: 4#subtree#CN=Domain Admins,CN=Users,o=novell#initialAuthOutgoing
ACL: 6#subtree#CN=Domain Admins,CN=Users,o=novell#trustAuthIncoming
ACL: 6#subtree#CN=Domain Admins,CN=Users,o=novell#trustAuthOutgoing
ACL: 15#subtree#CN=Domain Admins,CN=Users,o=novell#[All Attributes Rights]
ACL: 15#subtree#CN=Domain Admins,CN=Users,o=novell#[Entry Rights]

Then apply the changes using ldapmodify
/usr/bin/ldapmodify -Y EXTERNAL -f domainAdminsAcl.ldif

Finially, add Administrator and other desired users as members of the Domain Admins group.
iManager, or MMC, or a ldif can be used.

For the ldif option do the following, changing the context to the appropriate value.  In this example the domain mapped container is o=novell.  The file created is domainAdminsMembers.ldif

dn: o=novell
changetype: modify
add: ACL
ACL: 4#subtree#CN=Domain Admins,CN=Users,o=novell#dBCSPwd
ACL: 4#subtree#CN=Domain Admins,CN=Users,o=novell#unicodePwd
ACL: 4#subtree#CN=Domain Admins,CN=Users,o=novell#supplementalCredentials
ACL: 4#subtree#CN=Domain Admins,CN=Users,o=novell#currentValue
ACL: 4#subtree#CN=Domain Admins,CN=Users,o=novell#priorValue
ACL: 4#subtree#CN=Domain Admins,CN=Users,o=novell#initialAuthIncoming
ACL: 4#subtree#CN=Domain Admins,CN=Users,o=novell#initialAuthOutgoing
ACL: 6#subtree#CN=Domain Admins,CN=Users,o=novell#trustAuthIncoming
ACL: 6#subtree#CN=Domain Admins,CN=Users,o=novell#trustAuthOutgoing
ACL: 15#subtree#CN=Domain Admins,CN=Users,o=novell#[All Attributes Rights]
ACL: 15#subtree#CN=Domain Admins,CN=Users,o=novell#[Entry Rights]

/usr/bin/ldapmodify -Y EXTERNAL -f domainAdminsMembers.ldif

The Domain Admins group should now be created and set to the default settings.