Problem
When a Notification Server database is moved from one server to another (or if you decide to rebuild the server) the console will be locked (Access denied or only access to the shortcut tab) after you point the NS back to the original Database.

Environment
Notification Server 6.0

Technique is best suited for when the old and new database servers are on different hosts.

Cause
The SID's of the system and Altiris Administrators local group have changed from the information stored in the Altiris database.  When the NS checks security it will fail to recognize the user as a member of the Altiris Administrators role

Resolution
NOTE:: For this to be supportable in Notification Server 7.x the source NS and destination NS servers must have the exact same name Fully Qualified name (e.g. thisNS.domain.com , it is not sufficient for just the machine name to match).


To recover from this situation. follow these steps:

1. Run the following SQL query on the database created during the NS install:

select Trustee 
from SecurityTrustee 
where Guid in 
 (select TrusteeGuid from SecurityRole where [Name] = 'Altiris Administrators')

2. Run the same query (above) on the database you can no longer access. This should return a different SID.

3. Run the following query on the database you can no longer access. This will replace the old SID with the current SID on the new NS server)

UPDATE SecurityTrustee SET Trustee = 'SID on working DB(step1)' WHERE Trustee = 'SID from the access denied DB (step2)'

4. Refresh the NS Console and you will now have access to all the tabs as per your Admin rights.


Note: An alternative method to get the SID is to logon as an Altiris Administrator account  (on the NS host) and run command "whoami /GROUPS" and copy the SID for group "Altiris Administrator".  A second alternative is to use Sysinternal's utility "psGetSid" with the /groups  "Altiris Administrators" parameter  (on the NS host).

Note: This technique only describes how to update the SID for the Altiris Administrator's Role.  The process would need to be repeated for any other Altiris Roles.  A more comprehensive approach is to rerun the NSSetup wizard (which will roll-back some NS settings to their defaults). If you don't want to run NSSetup, you can use the following query to identify the current SIDs on the Altiris Database and then modify them to use the right ones:
SELECT sr.name, st.* 
FROM securitytrustee st
LEFT JOIN securityrole sr
ON sr.trusteeguid = st.guid
ORDER BY trusteeid

You can find all the right SIDs for the new Notification Server by running from the command prompt 'whoami /all'.

NOTE:: If the above-mentioned method does not restore access to the NS Console, run the following SQL Commands in Succession against the Database:

     spStringCacheDisable

     spStringCacheEnable

After running these two commands, refresh your console page. The Console page should load.