Solved

Un-Delete a terminated User in Lotus Notes issue....

Posted on 2013-12-18
12
1,117 Views
Last Modified: 2013-12-26
Hello,

Release 8.5.2FP4 SHF172
Revision 20111118.0756-T00172SHF-FP4 (Release 8.5.2FP4 SHF172)
Standard Configuration

Clients window 7

I am trying to bring back 3 former users that had active email accounts. The users were moved to the "terminated users" group on Lotus Notes Server upon their resignation.

I have tried to remove the users from the group, by (1)deleting their names from the group, but under the user's detail, once I re-establish the mail box, the users still show as part of the "Terminated Users" group when you look at their effective permissions under their database. So I keep getting the error that the users have no permissions on the server etc, etc.

(2)I even tried deleting their original person doc and (3)database and waited for 72 hours and recreated them, just like a new user, and again the person is denied access because the server thinks they are still part of the "Terminated Users" group. So when I go check their database's Access Control > Manage > Effective Access...It lists them as part of the "Terminated Users" group. I then look at the group membership again, "Terminated Users", and none of them are listed on it.

So I do not know where the entry is embedded. I figure it has to be somewhere, but I just am not sure where to look.

FYI: I have also been only working on Notes for 18 months and was thrown into this with no formal training. So please make your responses less abbreviated if possible.

Thanks!
0
Comment
Question by:wishd
  • 2
  • 2
  • 2
  • +4
12 Comments
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 39728013
I have no immediate answer for you, for I'm more of a developer than an admin guy, but luckily for you there are other experts here who should know more about this. So I only have some general questions or hints for you.

Did you use ADMINP to update the Domino configuration?
Is there more than one Deny Access group maybe?
Did you verify the Server document, the Security tab, under Allow access to ?
0
 
LVL 14

Expert Comment

by:ThomasMcA2
ID: 39728395
It might help to create a view in the Public Address Book that shows users by their group membership. You will then be able to select your "terminated" users in this view, and it will list all groups that they belong to. Follow these steps:

1) Name the view People\by Group Membership so that it lives under the built-in People view.
2) Set the Selection Formula for the view to SELECT (Form = "Group" )
3) Create a Members column with this formula: @Name([CN]; Members)
4) In the properties of that Members column set the Multi-value separator to New Line.
5) Add a List Name column that selects the ListName field

You can then open the view, find the user's name, and double-click the Group name to open it.
0
 
LVL 4

Expert Comment

by:umeli
ID: 39728582
Hi
Are there more than one Deny Access Groups defined in your environment?
0
 
LVL 15

Expert Comment

by:akhafaf
ID: 39728871
Hi there,,

I would suggest if you can re-try the suggetions you have mentioned in the question in addition to a downtime & and a server restart.

Then Check what haapens

Best Wishes
0
 

Author Comment

by:wishd
ID: 39729132
Hi, (1)there is only one group that is for terminated users and no other deny groups. (2) We could reboot but that would be very hard to schedule since we are in our very busy season and we are running 24 hours a day right now with sales and can't really justify a restart right now. I can't imagine a restart would be part of the process for anyone we want to bring back, but as a trouble shooting step I understand why you are suggesting it. I just can't do that every time I want to remove someone from the group. I will try to see if I can schedule it but it may not happen until after the first of the year. In the mean time I did create the 3 users with slightly different email accounts so they do not match exactly the old ones. I then was able to add an alias that did match the old addresses so they do essentially have the same email address as before, but as an alias, the actual internet address on the mailbox has a "1" on the end. that is  the only way I was able to get them back in the system. In light of this I assume that the server has no record of the former email address...???...because if it did I would think there would be a conflict. I was able to send email to their accounts from outside our network and it reached all three of them. I just know that in the past if I tried to add a duplicate email address anywhere it would bounce back because it is in two places.
0
 
LVL 14

Accepted Solution

by:
ThomasMcA2 earned 400 total points
ID: 39729607
If they are no longer in the Terminated Users group, but the Effective Access button says they are, then the "group cache" on the server needs to be cleared/reset. Run this console command to clear the cache:
show nlcache reset

Open in new window

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Expert Comment

by:Hans Holt, Ph.D.
ID: 39730907
Create the person with a slightly other name - like add a middle name or omit it.
Then you have a new person - that should work.
0
 
LVL 15

Expert Comment

by:akhafaf
ID: 39731541
Did you  manage to get a down time and restart the server then check ??
As I suggested in my previous comment ...
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 39735015
Other things to check.... so you have looked in server names.nsf and under Groups / Deny Access groups and there are no other groups there, no replication conflicts that might have them in etc?

Second, open the server document, in names.nsf into Configuration, Servers, All Server documents and choose the relevant one.

In the second tab "security", look at the "not access server" and "access server".  Any clues from that - maybe a non "deny access" group that has been put in the "not access server", or the other way around, only members of "All users" group can access the server.

It should really only come down to:

1) The user has ID file which is valid and they have password.  Now they can communicate with the server.
2) They have a person document, it has the key in there matching that ID file
3) The server document listed access server / not access server is obeyed, i.e. whichever groups  they should be in, and/or if they are listed as users in the servers document then remove them.

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 39735019
Another good check is set the internet password in their person document and try logging in through as web browser, i.e. http://servername/names.nsf for starters.

Steve
0
 
LVL 1

Expert Comment

by:Hans Holt, Ph.D.
ID: 39735197
@dragon-it
deny-access groups do not deny web access.
If a user have a person document and knows the http-password,hen can get web access even when the name is in a deny access group.
So if there is web access - a deny access group could be the problem.
Notice that there can be several deny access groups.

I have seen errors in the ($users) view stopping access for new users. Rebuild this view to solve that problem.
0
 

Author Closing Comment

by:wishd
ID: 39739977
ThomasMcA2, Thank you! It worked fine. I ran the command and waited 24 hours before trying to re-create the user. When I did re-create them they were no longer showing part of the "Terminated" users group and I was able to set up Notes for each of them without getting the denied server access message.

Thank you again!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I thought it will be a good idea to make a post as it will help in case someone else faces these issues. I trust this gives an idea how each entry in Notes.ini can mean a lot for the Domino Server to be functioning properly. This article discusses t…
IBM Notes offer Encryption feature using which the user can secure its NSF emails or entire database easily. In this section we will discuss about the process to Encrypt Incoming and Outgoing Mails in depth.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now