Administrative lists for server processes can initially be created in one of two ways:
· A server process automatically creates its administrative list when it is started on a machine if the list does not already exist on the local disk of the machine. By default, a process places its list in the configuration directory, dcelocal/var/dfs. An administrative list generated by a process is always empty.
· You can create an administrative list for any process except the BOS Server by including the -createlist option with the bos addadmin command. Because the BOS Server must be running to issue the bos addadmin command, and because every process creates its administrative list if the list does not already exist when the process starts, the admin.bos list must already exist when you issue the bos addadmin command.
Every server machine stores administrative lists for its processes on its local disk. It is recommended that all administrative lists be stored in the default directory, dcelocal/var/dfs. If the administrative list for a process is stored in a different directory, you must specify the full pathname of the list when you start the process. For example, if you store the admin.bos file in a directory called dcelocal/var/dfs/config, you must use that pathname when you start the bosserver process on that machine.
Do not create multiple copies of administrative lists and store them in different directories; this can cause confusion when attempting to determine who has administrative privilege and can potentially result in unauthorized users executing restricted commands. Note that a Private File Server machine typically has specialized versions of the admin.bos and admin.ft administrative lists to allow its administrators to manage its processes and the data it contains. Such lists can reside in the dcelocal/var/dfs directory, but they should not be retrieved from the System Control machine via the Update Server.
To guarantee that all users and groups have the same privileges on all server machines, the same users and groups must be on the administrative lists that grant those privileges on each machine. If the same copy of an administrative list is not distributed to all machines in the domain, users can be prohibited from issuing commands on specific machines. For instance, suppose a user is listed in the admin.ft file on machine fs1 but is not listed in the admin.ft file on machine fs2. The user can issue commands that affect filesets on fs1, but the user cannot issue commands that affect filesets on fs2.
To maintain consistency among administrative lists, use the following guidelines:
· Make all changes only to the files stored on the domain's System Control machine.
· Ensure that all other server machines in the domain are running the upclient process to reference the appropriate administrative lists on the System Control machine. The upclient and upserver processes then automatically maintain the synchronization of the administrative lists.
You can remove an administrative list that you no longer need by including the -removelist option with the bos rmadmin command. If you use the command to remove the last member from an administrative list or if a list contains no members when you issue the command, the -removelist option specifies that the list is to be removed. The option has no effect if the list is not empty.
More:
Listing Principals and Groups in Administrative Lists
Adding Principals and Groups to Administrative Lists
Removing Principals and Groups from Administrative Lists