Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Un-Delete a terminated User in Lotus Notes issue....

Posted on 2013-12-18
12
Medium Priority
?
1,282 Views
Last Modified: 2013-12-26
Hello,

Release 8.5.2FP4 SHF172
Revision 20111118.0756-T00172SHF-FP4 (Release 8.5.2FP4 SHF172)
Standard Configuration

Clients window 7

I am trying to bring back 3 former users that had active email accounts. The users were moved to the "terminated users" group on Lotus Notes Server upon their resignation.

I have tried to remove the users from the group, by (1)deleting their names from the group, but under the user's detail, once I re-establish the mail box, the users still show as part of the "Terminated Users" group when you look at their effective permissions under their database. So I keep getting the error that the users have no permissions on the server etc, etc.

(2)I even tried deleting their original person doc and (3)database and waited for 72 hours and recreated them, just like a new user, and again the person is denied access because the server thinks they are still part of the "Terminated Users" group. So when I go check their database's Access Control > Manage > Effective Access...It lists them as part of the "Terminated Users" group. I then look at the group membership again, "Terminated Users", and none of them are listed on it.

So I do not know where the entry is embedded. I figure it has to be somewhere, but I just am not sure where to look.

FYI: I have also been only working on Notes for 18 months and was thrown into this with no formal training. So please make your responses less abbreviated if possible.

Thanks!
0
Comment
Question by:wishd
  • 2
  • 2
  • 2
  • +4
12 Comments
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 39728013
I have no immediate answer for you, for I'm more of a developer than an admin guy, but luckily for you there are other experts here who should know more about this. So I only have some general questions or hints for you.

Did you use ADMINP to update the Domino configuration?
Is there more than one Deny Access group maybe?
Did you verify the Server document, the Security tab, under Allow access to ?
0
 
LVL 14

Expert Comment

by:ThomasMcA2
ID: 39728395
It might help to create a view in the Public Address Book that shows users by their group membership. You will then be able to select your "terminated" users in this view, and it will list all groups that they belong to. Follow these steps:

1) Name the view People\by Group Membership so that it lives under the built-in People view.
2) Set the Selection Formula for the view to SELECT (Form = "Group" )
3) Create a Members column with this formula: @Name([CN]; Members)
4) In the properties of that Members column set the Multi-value separator to New Line.
5) Add a List Name column that selects the ListName field

You can then open the view, find the user's name, and double-click the Group name to open it.
0
 
LVL 4

Expert Comment

by:umeli
ID: 39728582
Hi
Are there more than one Deny Access Groups defined in your environment?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 15

Expert Comment

by:akhafaf
ID: 39728871
Hi there,,

I would suggest if you can re-try the suggetions you have mentioned in the question in addition to a downtime & and a server restart.

Then Check what haapens

Best Wishes
0
 

Author Comment

by:wishd
ID: 39729132
Hi, (1)there is only one group that is for terminated users and no other deny groups. (2) We could reboot but that would be very hard to schedule since we are in our very busy season and we are running 24 hours a day right now with sales and can't really justify a restart right now. I can't imagine a restart would be part of the process for anyone we want to bring back, but as a trouble shooting step I understand why you are suggesting it. I just can't do that every time I want to remove someone from the group. I will try to see if I can schedule it but it may not happen until after the first of the year. In the mean time I did create the 3 users with slightly different email accounts so they do not match exactly the old ones. I then was able to add an alias that did match the old addresses so they do essentially have the same email address as before, but as an alias, the actual internet address on the mailbox has a "1" on the end. that is  the only way I was able to get them back in the system. In light of this I assume that the server has no record of the former email address...???...because if it did I would think there would be a conflict. I was able to send email to their accounts from outside our network and it reached all three of them. I just know that in the past if I tried to add a duplicate email address anywhere it would bounce back because it is in two places.
0
 
LVL 14

Accepted Solution

by:
ThomasMcA2 earned 1600 total points
ID: 39729607
If they are no longer in the Terminated Users group, but the Effective Access button says they are, then the "group cache" on the server needs to be cleared/reset. Run this console command to clear the cache:
show nlcache reset

Open in new window

0
 
LVL 1

Expert Comment

by:Hans Holt, Ph.D.
ID: 39730907
Create the person with a slightly other name - like add a middle name or omit it.
Then you have a new person - that should work.
0
 
LVL 15

Expert Comment

by:akhafaf
ID: 39731541
Did you  manage to get a down time and restart the server then check ??
As I suggested in my previous comment ...
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 39735015
Other things to check.... so you have looked in server names.nsf and under Groups / Deny Access groups and there are no other groups there, no replication conflicts that might have them in etc?

Second, open the server document, in names.nsf into Configuration, Servers, All Server documents and choose the relevant one.

In the second tab "security", look at the "not access server" and "access server".  Any clues from that - maybe a non "deny access" group that has been put in the "not access server", or the other way around, only members of "All users" group can access the server.

It should really only come down to:

1) The user has ID file which is valid and they have password.  Now they can communicate with the server.
2) They have a person document, it has the key in there matching that ID file
3) The server document listed access server / not access server is obeyed, i.e. whichever groups  they should be in, and/or if they are listed as users in the servers document then remove them.

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 39735019
Another good check is set the internet password in their person document and try logging in through as web browser, i.e. http://servername/names.nsf for starters.

Steve
0
 
LVL 1

Expert Comment

by:Hans Holt, Ph.D.
ID: 39735197
@dragon-it
deny-access groups do not deny web access.
If a user have a person document and knows the http-password,hen can get web access even when the name is in a deny access group.
So if there is web access - a deny access group could be the problem.
Notice that there can be several deny access groups.

I have seen errors in the ($users) view stopping access for new users. Rebuild this view to solve that problem.
0
 

Author Closing Comment

by:wishd
ID: 39739977
ThomasMcA2, Thank you! It worked fine. I ran the command and waited 24 hours before trying to re-create the user. When I did re-create them they were no longer showing part of the "Terminated" users group and I was able to set up Notes for each of them without getting the denied server access message.

Thank you again!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lack of Storage capacity is a common problem that exists in every field of life. Here we are taking the case of Lotus Notes Emails, as we all know that we are totally depend on e-communication i.e. Emails. This article is fully dedicated to resolvin…
This article covers general Notes 8.5 troubleshooting information including recreating the Notes\Data folder.
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question