ECL without creators ID and/or privs

Posted on 2002-04-04
Medium Priority
Last Modified: 2013-12-18
I want to change ECL on our domain but keep running into ECL security issues. The ellegged person who created the domain as it is , has left the organisation and has been deleted from the NAB. How can I change the permissions on running the ECL agent without his ID ( wich is rendered useless because it has expired as well . ) ???

Our domain consists of over 2000 notes users and over 40 Servers so installing a new NAB and creating a new domain are out of the question.
Question by:EricMD
LVL 24

Expert Comment

ID: 6918111
Switch to the current admin id, and Open the agent in designer then resave it. This should incorporate the current admin access and signatures.

LVL 10

Expert Comment

ID: 6918128
I do not understand your problem.

Either this general ExecutionControlList allow agent run for agents signed by this "security hole" user :-) and you are lazy to change this fact,
or you do not know how to distribute your CommonName  as signer for agents and other design elements to all workstation ECLs.

At our installation we do not use person ids for application signing. We have special application signing id's for every block of applications which we release for production. Such one signer CommonName could be:

So your ECL can allow execution of all */App/CompanyOrg signed designs.

If you like to live with the security hole, then recreate the same CommonName, as the deleted one, for application signing purposes. Public key are not compared at ECL level.

Good luck,

LVL 10

Expert Comment

ID: 6918170
Eric, one more about the questions...

I saw you have created your account today. I am happy we have you among us as an expert. But please keep in mind what our biggest problem in our EE community is: abandoned questions
And you have to know, as soon as a question is answered, none of other experts have much interest to involve until the "wrong" answer is rejected by questioner. Most of the questioner sit there and wait until right answer comes along. They do not much involve in their own questions :-)

You have answered on your first day also a question. This is for the first look an enthusiastic manner. But please keep this abandoned question problem in mind.

Thank you,
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

LVL 13

Expert Comment

ID: 6919043
Hi Eric, welcome!
I told you this would have a better response than notes.net!?

Eric is a collegue of mine: he's one of the  administrators, I'm one of the developers. He's not any lazier than any of us here!

I don't fully understand the problem. I only saw the symptoms briefly. Even though he owns admin id's etc., the ECL-checkboxes remain greyed out... and something needs to be altered badly!
LVL 10

Expert Comment

ID: 6919282
I am lazy :-)

OK, where do you see this disabled (grayed) ECL checkbox?

Are you sure you are not talking about ACL :-)

Or are you talking about the names.nsf Action "EditAdministrationECL" in your domains names.nsf?

If you are really talking about your domains ECL, then make a local copy of your names.nsf and try to modify this ECL there. Stop the server and bring the names.nsf back to server (and hope that this will replicate to other servers names.nsf, I don't know :-)

If really in this AdministrationECL is not titled: ECLforAdministrator
but something like: ECLforJohnDoe/OU/Org
then create this dammed JohnDoe within same hierarchy and use this as I proposed in my first comment.

LVL 10

Accepted Solution

zvonko earned 150 total points
ID: 6919380
my assumption that AdministrationECL is not replicating seems to be a known problem to Lotus:

Anyway, best solution is to set it manualy at every server (when not greyed :-)

Another idea would be to create a new AdministrationECL with this command:

and distribute afterwards a mail with a button updating users workstation ECL like here described:


Expert Comment

ID: 6920601
Hey Eric !
Welcome to the Forum.  

Author Comment

ID: 6922085
Okay Guys here's the awnser . I got it from another Notes admin who I happen to run into. It worked like a charm:

create a new location document and remove the homeserver name from it.
Switch to that location and go to the ecl . press refresh. Since there is no server on wich the ECL is able to verify it will give you lacol control wich is full. now goto the addressbook and run the agent.

I tried it and it worked. is this a security bug in notes or just an undocumented feature :-)

thanks for all the help.

LVL 10

Expert Comment

ID: 6922560
Still does not exact know what you are talking about.

Whether it is a security hole to change local ECL I also will never know, because in our installations we do not forbid changing private ECLs.

Anyway is the good final that you found your solution.

You have now two options: accept any comment as answer to keep your solution as foundation for next questioner,
or delete this question because of this all misunderstandings and reward your question points.

In any case thank you for the feedback :-) EE is full of abandoned questions where questioners found in any why their solutions and was too frustrated to close their questions.



Author Comment

ID: 6922586
although it was not the awnser to the problem it did contain a link for creating the mail towards our users.
LVL 10

Expert Comment

ID: 6922594
Thanks for the feedback and for the points :-)

Did you know that this B grading is not school grading; it is Expert points multiplicator.

Only for the future... <|:-)

So long,


Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I thought it will be a good idea to make a post as it will help in case someone else faces these issues. I trust this gives an idea how each entry in Notes.ini can mean a lot for the Domino Server to be functioning properly. This article discusses t…
IBM Notes offer Encryption feature using which the user can secure its NSF emails or entire database easily. In this section we will discuss about the process to Encrypt Incoming and Outgoing Mails in depth.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question