Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Utility to syncronize ACL's and Groups to NAB

Posted on 2006-07-05
Medium Priority
Last Modified: 2013-12-18
I have renamed around 200 users from John Doe/Fake/Main to John Doe/Main. I had made sure all ACL's had the Administration server set to the server that Adminp Process was going to be running on before renaming the selected users. Once I had completed all steps in renaming the users, some of the users ACL's, and Group entries were updated, and some were not. Here are the steps taken to rename the selected users.

1. Set Administration Server for all ACL's to the server the Adminp was going to run on.
2. In the Administrator client, NAB, selected users to rename
3. Selected Actions -> rename selected users
4. Selected the old certifier and entered password
5. Selected OK at all prompts about user name
6. Preformed Tell adminp process new on the server console
7. Opened the ADMIN4.NSF and selected Name Move Request
8. Selected users and preformed "complete move for selected entries"
9. Preformed tell adminp process new at server console.
10. Went back to ADMIN4.NSF to check if there is an entry for "Initiate Rename in Domino Directory" and "Move Person's name in hierarchy"

All users selected to rename were verified in both of these sections with no errors.

Some of the users had entries in "Rename in Access Control List", "Person Documents" , ect.

Some did not.

I need to know if there is a way to re-initiate this process to update the rest of the users ACL and other entries. Maybe some kind of utility that would check all names in Groups to the ACL. Any help would be appreciated.

Question by:nicholasreker
LVL 63

Accepted Solution

SysExpert earned 672 total points
ID: 17045609
You will probably need to write your own agent in Lotus Script to resolve this if you do not have the option of reding the name change.

Did the Admin request DB show that the name change was successful for everyone ?

Check the LDD sandbox at


for sample code for ACL chages.

I hope this helps !


Author Comment

ID: 17045896
I have looked through this list of tools, but none specifically sync the AB to all groups, databases, ect. I am really looking for a tool that has already been developed being that I am in now way familiar with Notes Developement. I have been assigned to administer the Domino environment, but have had to learn by doing. I would be willing to buy a tool that would do this for future needs as well.

LVL 20

Assisted Solution

brwwiggins earned 664 total points
ID: 17046077
You might try looking into Power Tools (http://www.helpsoft.com/)

It is a really good tool and I have found it helpful. Here are some of the features it has that may help

 Find Missing ACL Entries: Find Missing ACL Entries will check the ACL of all selected databases for the specified ACL entries and report any databases that do NOT contain those ACL Entries. For example, you might want to find any databases that do not have an Anonymous entry or an Administrators entry.

 Find Unlisted ACL Entries: Scans all ACL entries in all databases on the specified server and checks to see if they exist in the specified address book. Any person, server, or group that is found in the ACL, but not found in the address book is considered UNLISTED. This utility can be used to help clean up ACLs.
  ACL Auditor: Compiles a list of all users who have access to one or more databases via explicit, wildcard or group ACL entries. ACL Auditor will return the access level, assigned roles and ACL flags (Can Create Documents, Can Delete Documents, etc.) for each person listed directly or indirectly in an ACL.
ACL Search & Replace: This utility can be used to make multiple ACL changes on selected databases on a server. It can perform one or more of the following actions: 1) Add a specified name to the ACL of all selected databases 2) Add a specified name to the ACL of all selected databases whenever a specified search name is found in the ACL 3) Change the access level of a specified name in all selected databases 4) Delete a specified name from the ACL of all selected databases 5) Replace a specified name in an ACL with another name in all selected databases.

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 18

Assisted Solution

marilyng earned 664 total points
ID: 17047454
Hi nicholasreker,
 If the applications didn't have an administration server listed in the ACL, then there would not have been an update by Adminp.    Basically, the only thing you can do is as sysExpert suggests and write an agent that will search through and compare ACL names with those in the Address book.

You can try in ALL your databases:
      1. Making sure the Databases all have an administration server assigned,
      2. Enforce a consistent ACL across all replicas
      3. In the Advanced part of the ACL: modify all Readers and Authors fields, or modify all names fields... else you will find any documents having those will lock out the users with the new names.

 In the Administration requests database to open the checked log files that say, "..performed action" and then check off, "Perform the request again?"

Then it should perform the look through the ACL and names fields on each server.  

Hope it works.. (Uh, also, you need to do this before 21 days are up)

LVL 63

Expert Comment

ID: 17047528
As usual
 marilyng is very good at supplying specifics.

I doubt that a tool exists that will do exactly what you want, but if it does, then you cn expect to pay > $1000 for it, and it will probably be part of a suite of tools.

I would suggest writing one or get a consultant to do it.

Else  fix them manually.

Good luck !
LVL 18

Expert Comment

ID: 17047833
grin... it's because I learned the HARD WAY!!!  

Had to merge two domains, and forgot to change ONE server acl's to be administered by the administration server. Of course, that was the one with ALL the reader/author databases, so, yes, I had to write lots of scripts to go through and find all the author and readers fields, compare the entries to those in the Address Book, and replace with the correct entries.

 I basically stepped through each database, then through each form and then through each field on each form to find the names of fields that were readers, authors or names.  Once I had the list of name fields, I could then step through each document check the list of names against the nab, and replace with the new ones.

Took quite awhile, and sysExpert is being kind at the price.. :)   The agent had to be intuitive and shut down before the limit expired on the server, and then pick up where it left off when it started again.

I didn't realise it before the Adminp purged the old requests.... so, I didn't have the option to run again.
LVL 18

Expert Comment

ID: 17047835
Of course, if you want shortcut.. rename them to anoth er ou, and then in another three months, rename them back again. :))

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You’ve got a lotus Domino web server, and you have been told that “leverage browser caching” is a must do. This means that we have to tell the browser everywhere in the web to use cache. In other words, we set (and send) an expiration date in the HT…
  In today’s Arena we can’t imagine our lives without Internet as we are highly used to of it. If we consider our life style just for only 2 min we found that face to face communication is swapped by e-communication.  Every Where from Works place to…
Integration Management Part 2
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question