NDSRight v MT-1.10 ================== (Feb 16, 1997) DISCLAIMER ---------- THIS PRODUCT IS SUPPLIED "AS IS". THE AUTHOR DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY AND OF FITNESS FOR ANY PURPOSE. THE AUTHOR ASSUMES NO LIABILITY FOR DAMAGES, DIRECT OR CONSEQUENTIAL, WHICH MAY RESULT FROM THE USE OF THIS PRODUCT. Introduction ------------ NDSRight is a DOS command-line utility that allows a user to change the ACL assignments of any NDS objects. The use of wild card ("*") is supported. Therefore, you can batch-update/change ACL assignments. This is particularly useful if you have a large number of objects to manage. You can also use NDSRight to report the ACL assignments for audit purposes. This utility is designed to be command-line based and perhaps invoked through batch files. Therefore, there is not much user-interface or fancy menu prompts is built into the utility. Notes ----- 1. The names of the attributes are schema dependent. Therefore, you need to be careful when specifying the attribute names. A complete list of attribute names for NetWare 4.1's Organization, Organizational Unit, and User objects is provided with the documentation of the registered version of this utility. You can find the detailed listing of all attributes for NetWare 4.1 object types from either Novell's Software Development Kit (SDK) CD or Appendix B of "NDS Troubleshooting", New Riders Publishing; ISBN 1-56205-443-0. 2. Because of a possible bug in the NetWare Client API, Country container has to be handled differently. To view ACL rights assigned to Country containers, you need to use "C=xx" or "C=A*" for the object name. That is to say, you either need to give the specific country code, or if you wish to use wild card, you must provide the first character. Fortunately, in most cases, you will not be working with Country container, therefore, this is just a mild inconvenience. You can not use "C=*" as it generates an illegal syntax error by the API. 3. Wildcard in trustee name is not permitted. 4. Wildcard in rights is permitted, but it must not be used in conjunction with other rights specified. For example, "-r *" is okay, but not "-r W*"; however, "-r *W" or any other combination that has the "*" first, a wildcard (i.e. all rights) will be assumed. 5. It has been found that on rare occasions that if an object name is very close to or the same as that of a class name in the schema (e.g. an organizational unit called Organizational_Unit), the object may not be correctly located. There is no immediate workaround for this problem at this time. However, we believe this situation will be very rare, if at all in a production environment. On the other hand, depending on the operation you wish to perform, there may be a solution. For example if you are having problems removing a particular trustee assignment of a particular attribute, try removing ALL the trustee assignments, then add back the one you wish to keep. Of course, you can also do this using NETADMIN or NWAdmin. 6. If you leave out any of the "Objectname", "Trustee", "Attribute" or "Rights" command-line parameters, you will be prompted. And if you simply press Enter or ESC, the program will exit. 7. To override the default of the "-Z" option that clears ALL trustees from a given attribute, the "-t" option MUST be used if you wish to specify which trustee to be removed. 8. There is currently no clean support to append the report log file to an existing one. I ran out of meaningful alphabet to use for this option so I am using "-f" (lowercase) for generating a new file, and "-F" (uppercase) for appending to an existing file. 9. By default, NDSRight reports _all_ ACL assignments to an object, which include both the object and attribute assignments. If you wish to only look at the object rights, use the "-o" switch. 10. NDSRight does not attempt to resolve alias names when you are trying to remove a trustee assignment. You must use the "original" name. However, when you assign a trustee assignment, an alias may be used; but the NDS will record the trustee information using the "original" object name. Installing NDSRight ------------------- No special installation steps or program need to be used. Simply copy NDSRight to SYS:PUBLIC of your servers. You must have the Unicode files for the country code and code page that your workstation use available in the respective NLS directories, for example, SYS:PUBLIC\NLS. Should you install NDSRight into a different directory, you may need a search path to the directory where the unicode files are located. Running NDSRight ---------------- You can run NDSRight either with command-line parameters, or allow it to prompt you for input. The allowable command-line parameters are: NDSRight [-a] [-c] [-f] [-F] [-n] [-o] [-r] [-s] [-t] [-v] [-x] [-Z] where "-a attrname" specifies the attribute to which the ACL assignment is to be made. If the attribute you referenced is composed of multiple words, such as Login Script, you need to place an underscore ("_") between each word. For example, "-a Login_Script". This is the standard notation used by NDS. However, this utility also allows you to use a period (".") instead of the underscore to save yourself having to use the Shift key. "-c" specifies continuous scroll on display. Otherwise, pause at the end of each displayed screen. "-f" specifies that a report file should be generated. This is helpful when you are viewing a large number of objects, or would like a log file for your modification operation. If you use "-F", the report file will be appended to, if it exists. "-n oName" specifies the target object name. This is the object to which the assignment will be made. For example, "-n admin". The use of wild card (i.e. "*") is allowed, i.e. "-n adm*". "-o" instructs the utility to assign rights to the object rather than to the attributes of the object. When this option is specified, the "-a" option is disregarded. Using this option is the same as specifying [Entry Rights] for the attribute. "-r rightslist" specifies the NDS rights to be assigned to the attribute of the object. For example, "-r BC" for Browse and Create. "-s" specifies searching of the subtree. This will cause the utility to recursively search the lower containers for a name match to the target object. "-t tName" indicates the trustee object name. It is the object that will be made the trustee. For example, "-t guest" or "-t .admin.dreamlan". "-v" views rights of target object(s). This is useful is getting a list of the different ACL rights assigned to an object. "-x" clears right before assigning new ones. If a trustee assignment is made to an attribute, but the trustee object already has an assignment to the same attribute, you must clear the old assignment before the new one can be assigned. This is to prevent you from accidentally overwrite an existing assignment. "-Z" will remove _ALL_ the ACL assignments to an attribute of an object by default! Use it with care. Should you wish to only remove one of the trustees from an attribute, make sure you ALSO specify the -t parameter. This parameter _must_ be in uppercase. Note: All of the above parameters (except for -F, -f and -Z) ---- are _not_ case sensitive. Configuring NDSRight -------------------- n/a Registration ------------ Two variations of NDSRight are available. The version included here is a Freeware version. The following options are _disabled_ in the Freeware version: 1. -c for continuous scroll on output. 2. -f for the generating of report log file. 3. -s for the ability to search subcontainers. 4. -x for the ability to clear a trustee assignment before a new one is assigned. 5. -Z for the ability to remove a trustee assignment. 6. For the ability to use wildcard on the "target object name". The Freeware version does _not_ include a complete list of attribute names for NetWare 4.1's Organization, Organizational Unit, and User objects. You are granted an unlimited usage at no cost. However, you are not allowed to sell or package this utility as part of another software package or service contract. Bottom line: you can not make money using this Freeware version. All standard Freeware limitation applies. Should you find the need, a registered version is available for $99US. This will be a NETWORK license, limited to ONE NDS TREE. This license does not permit you to resell NDSRight or to include it as part of another software package or service contract. You can register NDSRight on-line through CompuServe (!GO SWREG) or you can FAX a Purchase Order to (905) 886-2534. Canadian orders is $135 CDN plus GST. All other countries, please remit in US funds. Special site agreements for multiple trees and service providers are available. Although the license does not grant you the right to resell the program (i.e. for a profit; but you can charge the customer a service charge for your time). If you are a service provider, you can register copies on behave of your customers (by providing your customer's mailing information -- this is used only for tracking purposes). At the same time, we ask you to send us a separate email indicating that you are registering on behave of your customer and inciate in this email if further software upgrade (free or for a charge) be send to you or the customer directly, and an email address for that purpose. Other Information ----------------- NDSRight is written in C using Microsoft C optimizing compiler and Novell's Client SDK v1.0e. Some string manipulating routines are from the CXL library. Revision History ---------------- Oct 02, 1995. Version MT-1.00, first released code. Oct 05, 1995. Version MT-1.01, added color support. Oct 08, 1995. Version MT-1.02, fixed a memory allocation problem due to not releasing buffer inside a loop. This became a problem when viewing a large number of objects. Feb 16, 1997. Version MT-1.10, added tree name check.