Is it safe to remove an old administrator user that probably have setup our server.
The mailbox is deleted.
Is it possible that the user have signed some agents or something that can mess up the server if I delete the user?
Subject: domain search
you can run a domain search for the user to see if that user is anywhere important. In the domino admin client select the user and then click the Find User tool on the right. Also, search your server logs for that user, if any agents are running under that ID they should show up. Backup the user then delete him/her. If any issues then restore the user.
Subject: seems very easy to me do the following:
-
get and activate Full Access Administration- mark the Root Folder → ACL → Add LocalDomainAdmins as persongroup / Manager → OK, it will add the group to any database, template etc on the server, where it wasn’t existent
-
mark The Root Folder → ACL → change LocalDomainAdmins to Person Group / Managaer → it will change the permissions on all Databases / Folders where it already existed before and wasn’t changed by adding the admin.
-
mark the Root Folder → Sign → Sign with acutal Server ID, will resign all Databases and tempaltes on the Server with the Servers ID.
-
now check if u’ve access to all Server and Web-Site Config Documents, to make sure none of these Documents were encripted with old Admins ID.
-
put admin user to deny access group for safety
-
after a month or so delete your old Admin-User
regards
Tibor
Subject: the user isn’t in any acl
I digged a little bit and the user is allready in $no access group and with the Find User tool the person didn’t have any special permissions.
Seems to be safe to delete the user?
Subject: Easier Suggestions
First of all, putting the Admin in the deny access group will have the same effect that deleting the person doc will - (ask my former employer who found out the hard way)
Second, you can use the Find User function in the Domino Admin client (People &Groups Tab → right side of the client Under Tools - > Highlight the person’s name and click Find User(s). The results are posted to Admin4.nsf with links to each place that Adminp finds the name.
Subject: In addition to Susan’s Suggestion
DDM is your friend. If you are running v7 servers or higher you can use Database Review and also ACL Reviews as probes to find what you need.
Database Review will search through every db you list and report on agents, signers and even on behalf of. You can search for the name you want to remove
ACL Review will produce a report of any ACL entries containing the user you specify, however the Find User option is better for that because it also looks at group memberships and policies
The key thing is to put your admin in deny access and lock them out of the server (that will happen as soon as they go into deny access) as soon as possible.
Gabriella
Subject: Another Suggestion
If using DDM isn’t suitable for you, you still need to produce an agent report. There are a couple of free tools in OpenNTF called something like “Automated Admin” or “Admin Power Tools” that will scan agents for you.
Subject: If you don’t know - do’t delete
My first thought is: if you are not sure, don’t delete until you are sure.
Depending on how the environment was administrated, all functions could stop if the admin used his/her Id for everything.
You really have to investigate all templates (acls, design), security settings on servers, ACLs of all databases in the domain, desktop security settings, etc. to find out what exactly the situation is and then come up with a plan on how to tackle it and to make sure this does not happen again in the future. I would.
If you are concerned with security, I would add the admin’s old Is to your deny access group so at least it can’t be used to connect to servers anymore and then start digging. Depending on the size and complexity of your environment you will want somebody experienced to help and possibly design a new administration structure to avoid this situation from happening again.
Victor