Solved

ECL without creators ID and/or privs

Posted on 2002-04-04
11
298 Views
Last Modified: 2013-12-18
I want to change ECL on our domain but keep running into ECL security issues. The ellegged person who created the domain as it is , has left the organisation and has been deleted from the NAB. How can I change the permissions on running the ECL agent without his ID ( wich is rendered useless because it has expired as well . ) ???

Our domain consists of over 2000 notes users and over 40 Servers so installing a new NAB and creating a new domain are out of the question.
0
Comment
Question by:EricMD
11 Comments
 
LVL 24

Expert Comment

by:HemanthaKumar
ID: 6918111
Switch to the current admin id, and Open the agent in designer then resave it. This should incorporate the current admin access and signatures.

~Hemanth
0
 
LVL 10

Expert Comment

by:zvonko
ID: 6918128
I do not understand your problem.

Either this general ExecutionControlList allow agent run for agents signed by this "security hole" user :-) and you are lazy to change this fact,
or you do not know how to distribute your CommonName  as signer for agents and other design elements to all workstation ECLs.

At our installation we do not use person ids for application signing. We have special application signing id's for every block of applications which we release for production. Such one signer CommonName could be:
BulletinBoard/App/CompanyOrg

So your ECL can allow execution of all */App/CompanyOrg signed designs.

If you like to live with the security hole, then recreate the same CommonName, as the deleted one, for application signing purposes. Public key are not compared at ECL level.

Good luck,
zvonko


0
 
LVL 10

Expert Comment

by:zvonko
ID: 6918170
Eric, one more about the questions...

I saw you have created your account today. I am happy we have you among us as an expert. But please keep in mind what our biggest problem in our EE community is: abandoned questions
And you have to know, as soon as a question is answered, none of other experts have much interest to involve until the "wrong" answer is rejected by questioner. Most of the questioner sit there and wait until right answer comes along. They do not much involve in their own questions :-)

You have answered on your first day also a question. This is for the first look an enthusiastic manner. But please keep this abandoned question problem in mind.

Thank you,
zvonko
0
 
LVL 13

Expert Comment

by:CRAK
ID: 6919043
Hi Eric, welcome!
I told you this would have a better response than notes.net!?

Zvonko,
Eric is a collegue of mine: he's one of the  administrators, I'm one of the developers. He's not any lazier than any of us here!

I don't fully understand the problem. I only saw the symptoms briefly. Even though he owns admin id's etc., the ECL-checkboxes remain greyed out... and something needs to be altered badly!
0
 
LVL 10

Expert Comment

by:zvonko
ID: 6919282
I am lazy :-)

OK, where do you see this disabled (grayed) ECL checkbox?

Are you sure you are not talking about ACL :-)

Or are you talking about the names.nsf Action "EditAdministrationECL" in your domains names.nsf?

If you are really talking about your domains ECL, then make a local copy of your names.nsf and try to modify this ECL there. Stop the server and bring the names.nsf back to server (and hope that this will replicate to other servers names.nsf, I don't know :-)

If really in this AdministrationECL is not titled: ECLforAdministrator
but something like: ECLforJohnDoe/OU/Org
then create this dammed JohnDoe within same hierarchy and use this as I proposed in my first comment.

0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 10

Accepted Solution

by:
zvonko earned 50 total points
ID: 6919380
my assumption that AdministrationECL is not replicating seems to be a known problem to Lotus:
http://www.notes.net/46dom.nsf/55c38d716d632d9b8525689b005ba1c0/1b88da8dfbffb24085256ae9004c1e9c?OpenDocument

Anyway, best solution is to set it manualy at every server (when not greyed :-)

Another idea would be to create a new AdministrationECL with this command:
http://doc.notes.net/domino_notes/5.0.3/help5_designer.nsf/078c27b23262ffff852566dd0029426a/7f1a8981105618608525687e00586688?OpenDocument&AutoFramed

and distribute afterwards a mail with a button updating users workstation ECL like here described:
http://doc.notes.net/domino_notes/5.0.3/help5_designer.nsf/f4b82fbb75e942a6852566ac0037f284/7a1f88fe766885d48525687e00586d90?OpenDocument&AutoFramed



0
 
LVL 9

Expert Comment

by:Arunkumar
ID: 6920601
Hey Eric !
Welcome to the Forum.  
:-)
0
 

Author Comment

by:EricMD
ID: 6922085
Okay Guys here's the awnser . I got it from another Notes admin who I happen to run into. It worked like a charm:


create a new location document and remove the homeserver name from it.
Switch to that location and go to the ecl . press refresh. Since there is no server on wich the ECL is able to verify it will give you lacol control wich is full. now goto the addressbook and run the agent.

I tried it and it worked. is this a security bug in notes or just an undocumented feature :-)

thanks for all the help.

Eric
0
 
LVL 10

Expert Comment

by:zvonko
ID: 6922560
Still does not exact know what you are talking about.

Whether it is a security hole to change local ECL I also will never know, because in our installations we do not forbid changing private ECLs.

Anyway is the good final that you found your solution.

You have now two options: accept any comment as answer to keep your solution as foundation for next questioner,
or delete this question because of this all misunderstandings and reward your question points.

In any case thank you for the feedback :-) EE is full of abandoned questions where questioners found in any why their solutions and was too frustrated to close their questions.

Regards,
zvonko

0
 

Author Comment

by:EricMD
ID: 6922586
although it was not the awnser to the problem it did contain a link for creating the mail towards our users.
0
 
LVL 10

Expert Comment

by:zvonko
ID: 6922594
Thanks for the feedback and for the points :-)

Did you know that this B grading is not school grading; it is Expert points multiplicator.

Only for the future... <|:-)

So long,
zvonko



0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is an old article, please see an updated version of this article, located here: http://www.experts-exchange.com/articles/23619/Notes-8-5x-Windows-7-Notes-info-and-tips.html
  In today’s Arena we can’t imagine our lives without Internet as we are highly used to of it. If we consider our life style just for only 2 min we found that face to face communication is swapped by e-communication.  Every Where from Works place to…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now