OVER32.EXE      Utility to allow over 32 Security Equivalences
                
                Read this document carefully before running OVER32.EXE.


Problem:        All current versions of NetWare (v2.2/v3.11) will allow that 
                users are members of more than 32 groups, but only a maximum 
                of 32 security equivalences will be checked by NetWare when 
                determining a users' trustee rights.  OVER32 will allow 
                NetWare to handle over 32 group memberships correctly.

Solution 1:     Re-think your servers security structure, reduce the number 
                of groups a user is member of. This can be done by combining 
                groups, or by deleting unneeded groups.  
                This solution is should be preferred to using OVER32 !

Solution 2:     If you definitely have to handle users with more than 32 
                group memberships, you can use OVER32 as a workaround.
                Be aware of the limitations of OVER32 that are listed below.

*
Background:     Security equivalences are stored in the NetWare bindery in 
                128-byte segments. Each segment can contain up to 32 ID's 
                (with 4 bytes each). If a user has more than 32 security 
                equivalences, those will be stored in additional segments.
                However, only the first segment will be interpreted when 
                NetWare determines directory rights. Therefor the trustee 
                rights of groups stored behind the first segment will not 
                affect a user's directory rights.
                Another problem might occur when security equivalences are 
                added and removed: Assumed that you add a user to 50 groups, 
                group #1-#32 will be stored in the first, #33-#50 in the 2nd 
                segment. If you remove memberships #1-#20 later, the IDs 
                #21-#32 will stay in the 1st, #33-#50 will remain in the 2nd 
                segment and will not affect the user's rights at all: only 
                the remaining groups from the first segment (#21-#32) will 
                affect this user's rights. 

                OVER32 sees 3 types of users and treats them according to 
                    their needs ("OVER32 /I" will show those different user 
                    types without taking any action):
                Type A: 
                    All security equivalences (32 or less) are stored in 
                    segment one. No action is required. 
                Type B: 
                    The user currently has no more than 32 security 
                    equivalences, but these are distributed on 2 or more 
                    segments.  OVER32 will restructure the segments and move 
                    all IDs to the first segment. 
                Type C: 
                    The user currently has over 32 security equivalences, 
                    and NetWare ignores all but those stored in the first 
                    segment. 
                    OVER32 will create a new bindery object. This object is 
                    of type '32032' and has the name of the user preceded by 
                    '32_'. OVER32 will make the user security equivalent to 
                    this new object. Then the new object will be assigned 
                    the trustee rights of all groups not stored in the first 
                    segment. This new object will therefor have the trustee 
                    assignments of all groups that NetWare couldn't handle.

*
Syntax          Function

OVER32 /?       Display this help information

OVER32 /I       Show the users that might need OVER32

OVER32 <user>   All users matching the specified pattern (wildcards allowed) 
                will be checked and (if necessary) adapted to support over 
                32 security equivalences.

OVER32 /C       Cancel effects of OVER32; delete all objects created by 
                OVER32.  This option will normally not be needed since 
                OVER32 automatically deletes a hidden object it created if 
                it is no longer needed.

Examples:
    OVER32 *            Check and adapt all users
    OVER32 WSCHREIB     Check and adapt specified user
    OVER32 W*           Check multiple users

*
Error messages: When OVER32 displays error messages during its operation 
                write down the message and follow its instructions.


Precautions:    Though it is not expected that OVER32 will cause any trouble 
                it is strongly recommended that you run a NetWare utility 
                like NBACKUP to backup your bindery before using OVER32.


Limitations:    - while NetWare can handle no more than 32 security 
                equivalences, OVER32 is restricted to 1000 security 
                equivalences.
                - due to the way NetWare handles security equivalences, only 
                the first 32 security equivalences can be dynamically 
                handled (changes in group rights affect changes in member 
                rights automatically). 
                Changes in trustee assignments of the 33rd group and all 
                following groups will not be handled automatically by 
                OVER32 ! 
                Whenever group rights or group memberships are changed you 
                should run OVER32 to let those changes take effect on the 
                users' trustee rights !

*
Side effects:   - The new objects created by OVER32 will appear in SYSCON as 
                in the menu option 'Security Equivalences' and begin with 
                the string '32_'. This is expected and desired.
                - The new objects may show up in utilities that display 
                trustee assignments (FILER, SLIST). This is expected and 
                desired.