User object ADMIN

The first time you log in to a new Directory tree, you log in as the User object ADMIN; the only User object created during the NetWare 4 installation process. The ADMIN object is created when you first set up a Directory tree but not when you later add other servers to an existing tree.

The ADMIN object is assigned all rights (including the Supervisor right) to every object and property in the Directory tree. This gives ADMIN complete control of the Directory tree.

Note that when your first log in to a new Directory tree, you may want to create a User object and assign that object Supervisor rights to ensure that you have more than one object with sufficient rights to completely control the tree. Such an object can be critically important if the ADMIN object is deleted accidentally.

When it is created, ADMIN is assigned the Supervisor object right to the NetWare Server object. This gives ADMIN the Supervisor right to the root directory of all NetWare volumes attached to the server, so ADMIN can be used to manage all directories and files on every volume in the Directory tree.

ADMIN does not have any special significance like that of SUPERVISOR in previous versions of NetWare. ADMIN is granted rights to create and manage all objects simply because it is the first object created.

The following rights are also granted by default to provide basic network functionality:

• Container object where the Volume object SYS resides is granted Read and File Scan rights to the SYS:PUBLIC directory.

  This means that when users are created in that container, they can access all utilities located in the SYS:PUBLIC directory.

  Users outside the container object that holds the SYS volume should be made part of a group with explicit rights to the SYS:PUBLIC directory.

• When created, each User object is granted the Browse object right to the [Root] object.

  This means that all users can browse the entire Directory tree.

• When created, User objects are granted the Read right to all properties and the Write right to all login scripts associated with their own User objects.

Other objects that receive the Supervisor object right are allowed to create and manage other container objects and their leaf objects. This allows network control and management to be as centralized or as distributed as you want to make it.

You can rename or delete ADMIN at any time; however, you should assign another User object the Supervisor object right to the [Root] object before you delete ADMIN.

Be warned that you should never delete ADMIN without having assigned the Supervisor right to another User object. Neglecting to do so can be disastrous because you eliminate supervising control of the Directory tree. This warning also applies to other sections of the Directory tree where you have an ADMIN object defined. At each level of the tree where you have ADMIN defined, be sure you also have a User object with explicit Supervisor rights. It is also important to remember that rights can be granted at a container, and they can also be taken away. If all rights are filtered at a container and there is not a user in that container with all rights, then that container is without full administrative rights. This can cause problems.