Set Up Administrator Groups

Set Up Administrator Groups
Rob Kirkland

When you're setting up your Domino server, you have several tasks to complete so that the setup will be accomplished correctly. One of the more important tasks is setting up administrator groups, which this tip, from Domino System Administration, by Rob Kirkland, published by New Riders, explains.

-----------------------------------------------------

As with all the other named entities in Notes, you should have developed a policy for the creation and naming of groups before ever setting up the first server in your domain. Among the groups you should have decided to establish are at least two that you will want to create now:

• A group to hold the names of all your Domino administrators. It might be named Administrators, Admins, DominoAdmins, or GlobalAdmins. If you chose the Set Access Control List Entry option at the end of the initial server configuration process, Domino already created this group for you. It also populated it with the name of your first user and added it as Manager to the ACLs of all existing databases.
• A "deny access" group to hold the names of all entities (people, groups, and servers) that are persona non grata in your domain. No such entities will exist at this time but this group will grow over time, as (for example) employees leave the company. This group might be called Terminated, Inactive Users, Outlaws, or any other name that conveys its purpose.

You will want to create at least these two groups ahead of time, and maybe others. To create a group, follow these steps.

1. Open the Groups view of the Domain Directory. In Domain Administrator, this is on the People and Groups page. (You'll notice that the two groups already exist--LocalDomainServers and OtherDomainServers.)
2. Create a new Group document. (In Domino Administrator, you can click Add Group in the toolbar above the Groups view, or in the menu you can choose People, Groups, Create, or in the Tools pane you can choose Groups, Create.)
3. Fill in the fields:
   • Group name. This is the name by which the group will be identified in all lists. The group name may include spaces. For readability, it should be proper case. It should also be descriptive without being verbose.
   • Group Type. For your Administrators group choose either "Multi-purpose" or "Access Control List only." For your Inactive Users group, choose "Deny List only." As a general rule, you should not leave any group as a "multi-purpose" group unless you know the group name will be used both in access lists and as a mailing list. Domino creates an index for every possible function of the group. Therefore, it has to work harder to maintain multipurpose groups than single-purpose groups. You can improve the overall performance of your servers by using single-purpose groups whenever possible.
   • Description. Always enter a description of the group you are creating that will convey to you a year from now (and to your successors) the group's purpose. Eventually, you will have a lot of groups and inevitably you will forget (or a successor will have to figure out) each group's original purpose. Having an informative description will make it much easier.
   • Members. Add members to the group either by typing their names (but watch out for typos--they can kill you) or, better yet, clicking the helper button next to the field and adding members' names from the Names dialog box. Members can be people, servers, and other groups. You can nest groups up to five levels deep for mail routing, six levels deep for other purposes. However, those are theoretical limits. I don't recommend you ever nest groups that deep in real life.
   • Owners. Notes will enter your name in this field by default. That means you can edit this document in the future. You might want to add or substitute a group name.
   • Administrators. Notes will enter your name in this field by default. That means you can edit this document in the future. You might want to add or substitute a group name.
   • Foreign Directory Sync Allowed. The default, Yes, allows Domino to send information about this group to foreign directories.
4. Save and close the document.

-----------------------------------------------------

To learn more about Domino System Administration, or to buy this book, click here.