Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Un-Delete a terminated User in Lotus Notes issue....

Posted on 2013-12-18
Last Modified: 2013-12-26

Release 8.5.2FP4 SHF172
Revision 20111118.0756-T00172SHF-FP4 (Release 8.5.2FP4 SHF172)
Standard Configuration

Clients window 7

I am trying to bring back 3 former users that had active email accounts. The users were moved to the "terminated users" group on Lotus Notes Server upon their resignation.

I have tried to remove the users from the group, by (1)deleting their names from the group, but under the user's detail, once I re-establish the mail box, the users still show as part of the "Terminated Users" group when you look at their effective permissions under their database. So I keep getting the error that the users have no permissions on the server etc, etc.

(2)I even tried deleting their original person doc and (3)database and waited for 72 hours and recreated them, just like a new user, and again the person is denied access because the server thinks they are still part of the "Terminated Users" group. So when I go check their database's Access Control > Manage > Effective Access...It lists them as part of the "Terminated Users" group. I then look at the group membership again, "Terminated Users", and none of them are listed on it.

So I do not know where the entry is embedded. I figure it has to be somewhere, but I just am not sure where to look.

FYI: I have also been only working on Notes for 18 months and was thrown into this with no formal training. So please make your responses less abbreviated if possible.

Question by:wishd
  • 2
  • 2
  • 2
  • +4
LVL 46

Expert Comment

by:Sjef Bosman
ID: 39728013
I have no immediate answer for you, for I'm more of a developer than an admin guy, but luckily for you there are other experts here who should know more about this. So I only have some general questions or hints for you.

Did you use ADMINP to update the Domino configuration?
Is there more than one Deny Access group maybe?
Did you verify the Server document, the Security tab, under Allow access to ?
LVL 14

Expert Comment

ID: 39728395
It might help to create a view in the Public Address Book that shows users by their group membership. You will then be able to select your "terminated" users in this view, and it will list all groups that they belong to. Follow these steps:

1) Name the view People\by Group Membership so that it lives under the built-in People view.
2) Set the Selection Formula for the view to SELECT (Form = "Group" )
3) Create a Members column with this formula: @Name([CN]; Members)
4) In the properties of that Members column set the Multi-value separator to New Line.
5) Add a List Name column that selects the ListName field

You can then open the view, find the user's name, and double-click the Group name to open it.

Expert Comment

ID: 39728582
Are there more than one Deny Access Groups defined in your environment?
Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

LVL 15

Expert Comment

ID: 39728871
Hi there,,

I would suggest if you can re-try the suggetions you have mentioned in the question in addition to a downtime & and a server restart.

Then Check what haapens

Best Wishes

Author Comment

ID: 39729132
Hi, (1)there is only one group that is for terminated users and no other deny groups. (2) We could reboot but that would be very hard to schedule since we are in our very busy season and we are running 24 hours a day right now with sales and can't really justify a restart right now. I can't imagine a restart would be part of the process for anyone we want to bring back, but as a trouble shooting step I understand why you are suggesting it. I just can't do that every time I want to remove someone from the group. I will try to see if I can schedule it but it may not happen until after the first of the year. In the mean time I did create the 3 users with slightly different email accounts so they do not match exactly the old ones. I then was able to add an alias that did match the old addresses so they do essentially have the same email address as before, but as an alias, the actual internet address on the mailbox has a "1" on the end. that is  the only way I was able to get them back in the system. In light of this I assume that the server has no record of the former email address...???...because if it did I would think there would be a conflict. I was able to send email to their accounts from outside our network and it reached all three of them. I just know that in the past if I tried to add a duplicate email address anywhere it would bounce back because it is in two places.
LVL 14

Accepted Solution

ThomasMcA2 earned 400 total points
ID: 39729607
If they are no longer in the Terminated Users group, but the Effective Access button says they are, then the "group cache" on the server needs to be cleared/reset. Run this console command to clear the cache:
show nlcache reset

Open in new window


Expert Comment

by:Hans Holt, Ph.D.
ID: 39730907
Create the person with a slightly other name - like add a middle name or omit it.
Then you have a new person - that should work.
LVL 15

Expert Comment

ID: 39731541
Did you  manage to get a down time and restart the server then check ??
As I suggested in my previous comment ...
LVL 43

Expert Comment

by:Steve Knight
ID: 39735015
Other things to check.... so you have looked in server names.nsf and under Groups / Deny Access groups and there are no other groups there, no replication conflicts that might have them in etc?

Second, open the server document, in names.nsf into Configuration, Servers, All Server documents and choose the relevant one.

In the second tab "security", look at the "not access server" and "access server".  Any clues from that - maybe a non "deny access" group that has been put in the "not access server", or the other way around, only members of "All users" group can access the server.

It should really only come down to:

1) The user has ID file which is valid and they have password.  Now they can communicate with the server.
2) They have a person document, it has the key in there matching that ID file
3) The server document listed access server / not access server is obeyed, i.e. whichever groups  they should be in, and/or if they are listed as users in the servers document then remove them.

LVL 43

Expert Comment

by:Steve Knight
ID: 39735019
Another good check is set the internet password in their person document and try logging in through as web browser, i.e. http://servername/names.nsf for starters.


Expert Comment

by:Hans Holt, Ph.D.
ID: 39735197
deny-access groups do not deny web access.
If a user have a person document and knows the http-password,hen can get web access even when the name is in a deny access group.
So if there is web access - a deny access group could be the problem.
Notice that there can be several deny access groups.

I have seen errors in the ($users) view stopping access for new users. Rebuild this view to solve that problem.

Author Closing Comment

ID: 39739977
ThomasMcA2, Thank you! It worked fine. I ran the command and waited 24 hours before trying to re-create the user. When I did re-create them they were no longer showing part of the "Terminated" users group and I was able to set up Notes for each of them without getting the denied server access message.

Thank you again!

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Lotus Notes mail can not print out Full page 8 1,297
Connect SQL Server from Lotus Domino Application 7 355
IBM Lotus notes 9 101
@Mailsend 3 66
IBM Notes offer Encryption feature using which the user can secure its NSF emails or entire database easily. In this section we will discuss about the process to Encrypt Incoming and Outgoing Mails in depth.
Notes Document Link used by IBM Notes is a link file which aids in the sharing of links to documents in email and webpages. The posts describe the importance and steps to create a Lotus Notes NDL file in brief.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question