DSfW: How to recreate the Administrator user

  • 7015440
  • 29-Jul-2014
  • 29-Jul-2014

Environment

Novell Open Enterprise Server 11 SP1 (OES11SP2)
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows
DSFW

Situation

How to recreate the administrator user.


Administrator user was acedentally deleted, how do I re-create the administrator user?

Resolution

Make new file like create_administrator.ldif


Open then copy and past the administrator section from /var/opt/novell/xad/ds/domain/administrator.ldif into the create_administrator.ldif file.


Example:

dn: CN=Administrator,CN=Users,o=novell

cn: Administrator

adminCount: 1

codePage: 0

countryCode: 0

description: Built-in account for administering the domain

isCriticalSystemObject: TRUE

objectClass: User

objectClass: uamPosixUser

primaryGroupId: 513

userAccountControl: 66048

uidNumber: 1049076

gidNumber: 1049089

uniqueID: Administrator

sn:: IA==


Import the ldif using ldapadd and the external method.


export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf

ldapadd -Y EXTERNAL -f create_administrator.ldif


Now that the user is created, the objectSid needs to be set.
Open the /var/opt/novell/xad/ds/domain/domain.ldif and look for the following:

dn: CN=Administrator,CN=Users,o=novell
changetype: modify
replace: objectSid
objectSid:: AQUAAAAAAAUVAAAAKVa+HYBqAAyXXuIR9AEAAA==

Copy and paste into a file called modify_administrator.ldif

Import the modify_administrator.ldif file
ldapmodify -Y EXTERNAL -f modify_administrator.ldif


Next import the acls from /var/opt/novell/xad/ds/domain/administrator-acl-on-root.ldif

ldapmodify -Y EXTERNAL -f /var/opt/novell/xad/ds/domain/administrator-acl-on-root.ldif


Verify the SID for the administrator ends with 500 using wbinfo
First restart winbind to clear the cache otherwise it might show the old sid if wbinfo was ran between the creation and modification of the administrator object.

Example:
rcwinbind restart
wbinfo -n administrator
S-1-5-21-3262899241-201330870-300001753-502 User (1)


Add Administrator as a member of the following groups:

CN=Administrators,CN=Builtin,<YourDomain or MappedContainer>

CN=Windows Authorization Access Group,CN=Builtin,<YourDomain or MappedContainer>

CN=Domain Admins,CN=Users,<YourDomain or MappedContainer>

CN=Schema Admins,CN=Users,<YourDomain or MappedContainer>

CN=Cert Publishers,CN=Users,<YourDomain or MappedContainer>

CN=Group Policy Creator Owners,CN=Users,<YourDomain or MappedContainer>

Additional Information

If you feel competent with ldif files, instead of importing 2 files for Administrator, combine the contents of the two files into one file by adding the line with objectSid:: into the create_administrator.ldif

dn: CN=Administrator,CN=Users,o=novell

cn: Administrator

adminCount: 1

codePage: 0

countryCode: 0

description: Built-in account for administering the domain

isCriticalSystemObject: TRUE

objectClass: User

objectClass: uamPosixUser

primaryGroupId: 513

userAccountControl: 66048

uidNumber: 1049076

gidNumber: 1049089

uniqueID: Administrator

sn:: IA==

objectSid:: AQUAAAAAAAUVAAAAKVa+HYBqAAyXXuIR9AEAAA==