How To re-create a DSfW Domain Users group

  • 7009288
  • 02-Sep-2011
  • 27-Apr-2012


Novell Open Enterprise Server 2 SP1 (OES2SP1)
Novell Open Enterprise Server 2 SP2 (OES2SP2)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows


The Domain Users group was accidentally deleted.  How do I re-create the Domain Users group?


Open the /var/opt/novell/xad/ds/domain/administrator.ldif
Copy the Domain Users object from the ldif
Create a new ldif pasting the domain users group from the administrator.ldif into the new ldif.
Example of what should be copied from the administrator.ldif:
dn: CN=Domain Users,CN=Users,o=novell
cn: Domain Users
description: All domain users
groupType: -2147483646
isCriticalSystemObject: TRUE
objectClass: Group
objectClass: posixGroup
objectClass: uamPosixGroup
gidNumber: 1049089
Then import the ldif.
Use the openldap ldapadd with a SASL or GSSAPI bind.
To use ldapadd doing the following for a ldif called /tmp/domain_users.ldif:
export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
ldapadd -f /tmp/domain_users.ldif

The Domain Users group is created, but with an incorrect objectSid, samAccountName, and samAccountType.  This information is contained in the /var/opt/novell/xad/ds/domain/domain.ldif file.  Copy the section of the domain.ldif file that apply to Domain Users group and create a ldif with this information.

dn: CN=Domain Users,CN=Users,o=novell
changetype: modify
replace: objectSid
changetype: modify
replace: samAccountName
samAccountName: Domain Users
changetype: modify
replace: samAccountType
samAccountType: 268435456

Now with with LDAPCONF exported earlier use ldapmodify to apply the changes to Domain Users.
Example of using ldapmodify for a file called /tmp/domain_users_modify.ldif
/usr/bin/ldapmodify -f /tmp/domain_users_modify.ldif

Verify the SID for the Domain Users group ends with a 513 using wbinfo
First restart winbind to clear the cache otherwise it might show the old sid if wbinfo was ran between the creation and modification of the Domain Users group

rcwinbind restart
wbinfo -n "domain users"

S-1-5-21-1864561865-201340823-299862713-513 Domain Group (2)

The member attribute is not populated with all the users in the domain yet.  To make the users members of the Domain Users group samify the users.  All that has to happen is to modify the users or even easier use domaincntrl --samify to re-samify the users.

How to re-samify the users:
To use domaincntrl a kerberos ticket is required.  First issue a ticket for Administrator with kinit.
After enter the password list the tickets by using klist.  It should return something like this.

Valid starting            Expires                    Service Principal
09/15/11 08:00:00   09/23/11 18:00:00   krbtgt/NOVELL.COM@NOVELL.COM
                 renew until 09/24/11 08:00:00

No the domaincntrl tool can be used.  Do domaincntrl --samify.  It will list the partitions in the domain.  Enter the number correlated with the partition to begin the samify process.  That is it.  Use the domaincntrl --samify command until all partitions with in the domain have been samified.
Now check the member attribute on the Domain Users group.  All users with in the domain should be listed.
You can use MMC, ConsoleOne, iManager, or ldapsearch to verify this.

Additional Information

Add the Domain Users group as a member of the Unix Workstation object for each server NSS needed on.

This process can be used to Administrator account.

The command to use ldapsearch to verify if users have been added back as members of the Domain Users group is
LDAPCONF=/etc/opt/novell/xad/openldap/openldap.conf /usr/bin/ldapsearch -Y EXTERNAL -LLL -Q -b "cn=Domain Users,cn=users,dc=yourdomain,dc=com members

Video on How to re-create Domain Users Group