Un-Delete a terminated User in Lotus Notes issue....


Release 8.5.2FP4 SHF172
Revision 20111118.0756-T00172SHF-FP4 (Release 8.5.2FP4 SHF172)
Standard Configuration

Clients window 7

I am trying to bring back 3 former users that had active email accounts. The users were moved to the "terminated users" group on Lotus Notes Server upon their resignation.

I have tried to remove the users from the group, by (1)deleting their names from the group, but under the user's detail, once I re-establish the mail box, the users still show as part of the "Terminated Users" group when you look at their effective permissions under their database. So I keep getting the error that the users have no permissions on the server etc, etc.

(2)I even tried deleting their original person doc and (3)database and waited for 72 hours and recreated them, just like a new user, and again the person is denied access because the server thinks they are still part of the "Terminated Users" group. So when I go check their database's Access Control > Manage > Effective Access...It lists them as part of the "Terminated Users" group. I then look at the group membership again, "Terminated Users", and none of them are listed on it.

So I do not know where the entry is embedded. I figure it has to be somewhere, but I just am not sure where to look.

FYI: I have also been only working on Notes for 18 months and was thrown into this with no formal training. So please make your responses less abbreviated if possible.

Who is Participating?

Improve company productivity with a Business Account.Sign Up

ThomasMcA2Connect With a Mentor Commented:
If they are no longer in the Terminated Users group, but the Effective Access button says they are, then the "group cache" on the server needs to be cleared/reset. Run this console command to clear the cache:
show nlcache reset

Open in new window

Sjef BosmanGroupware ConsultantCommented:
I have no immediate answer for you, for I'm more of a developer than an admin guy, but luckily for you there are other experts here who should know more about this. So I only have some general questions or hints for you.

Did you use ADMINP to update the Domino configuration?
Is there more than one Deny Access group maybe?
Did you verify the Server document, the Security tab, under Allow access to ?
It might help to create a view in the Public Address Book that shows users by their group membership. You will then be able to select your "terminated" users in this view, and it will list all groups that they belong to. Follow these steps:

1) Name the view People\by Group Membership so that it lives under the built-in People view.
2) Set the Selection Formula for the view to SELECT (Form = "Group" )
3) Create a Members column with this formula: @Name([CN]; Members)
4) In the properties of that Members column set the Multi-value separator to New Line.
5) Add a List Name column that selects the ListName field

You can then open the view, find the user's name, and double-click the Group name to open it.
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Are there more than one Deny Access Groups defined in your environment?
Hi there,,

I would suggest if you can re-try the suggetions you have mentioned in the question in addition to a downtime & and a server restart.

Then Check what haapens

Best Wishes
wishdAuthor Commented:
Hi, (1)there is only one group that is for terminated users and no other deny groups. (2) We could reboot but that would be very hard to schedule since we are in our very busy season and we are running 24 hours a day right now with sales and can't really justify a restart right now. I can't imagine a restart would be part of the process for anyone we want to bring back, but as a trouble shooting step I understand why you are suggesting it. I just can't do that every time I want to remove someone from the group. I will try to see if I can schedule it but it may not happen until after the first of the year. In the mean time I did create the 3 users with slightly different email accounts so they do not match exactly the old ones. I then was able to add an alias that did match the old addresses so they do essentially have the same email address as before, but as an alias, the actual internet address on the mailbox has a "1" on the end. that is  the only way I was able to get them back in the system. In light of this I assume that the server has no record of the former email address...???...because if it did I would think there would be a conflict. I was able to send email to their accounts from outside our network and it reached all three of them. I just know that in the past if I tried to add a duplicate email address anywhere it would bounce back because it is in two places.
Hans Holt, Ph.D.Senior System ConsultantCommented:
Create the person with a slightly other name - like add a middle name or omit it.
Then you have a new person - that should work.
Did you  manage to get a down time and restart the server then check ??
As I suggested in my previous comment ...
Steve KnightIT ConsultancyCommented:
Other things to check.... so you have looked in server names.nsf and under Groups / Deny Access groups and there are no other groups there, no replication conflicts that might have them in etc?

Second, open the server document, in names.nsf into Configuration, Servers, All Server documents and choose the relevant one.

In the second tab "security", look at the "not access server" and "access server".  Any clues from that - maybe a non "deny access" group that has been put in the "not access server", or the other way around, only members of "All users" group can access the server.

It should really only come down to:

1) The user has ID file which is valid and they have password.  Now they can communicate with the server.
2) They have a person document, it has the key in there matching that ID file
3) The server document listed access server / not access server is obeyed, i.e. whichever groups  they should be in, and/or if they are listed as users in the servers document then remove them.

Steve KnightIT ConsultancyCommented:
Another good check is set the internet password in their person document and try logging in through as web browser, i.e. http://servername/names.nsf for starters.

Hans Holt, Ph.D.Senior System ConsultantCommented:
deny-access groups do not deny web access.
If a user have a person document and knows the http-password,hen can get web access even when the name is in a deny access group.
So if there is web access - a deny access group could be the problem.
Notice that there can be several deny access groups.

I have seen errors in the ($users) view stopping access for new users. Rebuild this view to solve that problem.
wishdAuthor Commented:
ThomasMcA2, Thank you! It worked fine. I ran the command and waited 24 hours before trying to re-create the user. When I did re-create them they were no longer showing part of the "Terminated" users group and I was able to set up Notes for each of them without getting the denied server access message.

Thank you again!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.