Symetrik Domino Consulting

I posted last week about the SuperAdmin OpenNTF project. I installed it last Friday and let the agent run a while, and came in this morning to check out what it could report.

Keith Brooks commented in the last post that the ability to see the templates and ODS has been available in the Administration client since 6.5, plus the ability to modify the Administration Server (not see it). This is all true, but I still find the tool very useful for cleaning up ACL and administration server inconsistencies.

Here’s my review:

Super Admin has some helpful features. Many of the features, such as the ability to see what template a database is using or tell what ODS version a database is easily viewable in the Notes admin client.

It does take a while to run on the server and a while to get all of the report views updated properly.

As the installation instruction says, it does require your signor ID that you’ve signed the database with to be a full admin, even if the signor ID is a server administrator and a manager of all database. It didn’t seem to work properly until I added the ID file that I signed it with to the full administrator field in the server document.

The Orphaned databases view was very helpful. It found a mailbox that no longer had a person document which is one of the main reasons that I want to use the tool.

The All Databases section contains the template, ODS, and quota information which is currently already visible using the administration client. So it’s not really an improvement, unless you want to put a replica of this tool on all of your databases and be able to see the template, ODS, and disk space/quota information all in one place.

ACL Anomolies Section:
Administration Server View:
There is a categorization for “No administration server Set in ACL” which is very helpful.

However, I found at least one database that did have the administration server set, but the tool reported that it didn’t.

The “Administration Server Does Not Match Database Server” categorization isn’t very helpful because it provides false positives on cluster mate servers or hubs.

LocalDomainAdmins View:
The “LocalDomainAdmins Missing From ACL” categorization was very helpful, but would be better if this was further categorized by directory. It would make it easier to delineate root directory/system databases from mailboxes. Our mailboxes don’t have LocalDomainAdmins in the ACL.

The “LocalDomainAdmins Does Not Have Manager Access” categorization was also very helpful.

LocalDomainServers – View
There were 3 categorizations that were really helpful including:
LocaldomainServer Missing From ACL
LocalDomainServer Does Not Have Manager Access
LocalDomainServer Not Set to “Server Group”

I don’t use OtherDomainServers so I didn’t really need the OtherDomainServers view. However, I did find a couple of false positives reported that OtherDomainServers was not set as server group in when it actually was. Incidentally, these were also two databases that actually had LocalDomainServers missing from the ACL. Once, I added LocalDomainServers to the ACL, they disappeared from the OtherDomainServers Not Set To “Server Group” view.

It would be beneficial if there was a LocalDomainAdmins not set as person group categorization. Maybe there is that categorization, but I simply didn’t have any databases that matched the criteria.

It would also be great if we could define a group other than LocalDomainAdmins or LocalDomainServers to check whether the database had the group and whether it was a group type that we could specify (such as person group). Many organizations use a group other than LocalDomainAdmins or LocalDomainServers to manage their Domino infrastructure.

Once I made corrections in the ACLs of a couple of database, I found that the updates to what Super Admin was reporting happened within a few minutes.

I looked at the agent properties, and it appears that it runs every hour. It starts running as soon as you put the database on the server. I couldn’t see how you could run this locally and found no way to manually initiate the agent. So it appears that this must run on a server.