Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Un-Delete a terminated User in Lotus Notes issue....

Posted on 2013-12-18
Medium Priority
Last Modified: 2013-12-26

Release 8.5.2FP4 SHF172
Revision 20111118.0756-T00172SHF-FP4 (Release 8.5.2FP4 SHF172)
Standard Configuration

Clients window 7

I am trying to bring back 3 former users that had active email accounts. The users were moved to the "terminated users" group on Lotus Notes Server upon their resignation.

I have tried to remove the users from the group, by (1)deleting their names from the group, but under the user's detail, once I re-establish the mail box, the users still show as part of the "Terminated Users" group when you look at their effective permissions under their database. So I keep getting the error that the users have no permissions on the server etc, etc.

(2)I even tried deleting their original person doc and (3)database and waited for 72 hours and recreated them, just like a new user, and again the person is denied access because the server thinks they are still part of the "Terminated Users" group. So when I go check their database's Access Control > Manage > Effective Access...It lists them as part of the "Terminated Users" group. I then look at the group membership again, "Terminated Users", and none of them are listed on it.

So I do not know where the entry is embedded. I figure it has to be somewhere, but I just am not sure where to look.

FYI: I have also been only working on Notes for 18 months and was thrown into this with no formal training. So please make your responses less abbreviated if possible.

Question by:wishd
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +4
LVL 46

Expert Comment

by:Sjef Bosman
ID: 39728013
I have no immediate answer for you, for I'm more of a developer than an admin guy, but luckily for you there are other experts here who should know more about this. So I only have some general questions or hints for you.

Did you use ADMINP to update the Domino configuration?
Is there more than one Deny Access group maybe?
Did you verify the Server document, the Security tab, under Allow access to ?
LVL 14

Expert Comment

ID: 39728395
It might help to create a view in the Public Address Book that shows users by their group membership. You will then be able to select your "terminated" users in this view, and it will list all groups that they belong to. Follow these steps:

1) Name the view People\by Group Membership so that it lives under the built-in People view.
2) Set the Selection Formula for the view to SELECT (Form = "Group" )
3) Create a Members column with this formula: @Name([CN]; Members)
4) In the properties of that Members column set the Multi-value separator to New Line.
5) Add a List Name column that selects the ListName field

You can then open the view, find the user's name, and double-click the Group name to open it.

Expert Comment

ID: 39728582
Are there more than one Deny Access Groups defined in your environment?

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 15

Expert Comment

ID: 39728871
Hi there,,

I would suggest if you can re-try the suggetions you have mentioned in the question in addition to a downtime & and a server restart.

Then Check what haapens

Best Wishes

Author Comment

ID: 39729132
Hi, (1)there is only one group that is for terminated users and no other deny groups. (2) We could reboot but that would be very hard to schedule since we are in our very busy season and we are running 24 hours a day right now with sales and can't really justify a restart right now. I can't imagine a restart would be part of the process for anyone we want to bring back, but as a trouble shooting step I understand why you are suggesting it. I just can't do that every time I want to remove someone from the group. I will try to see if I can schedule it but it may not happen until after the first of the year. In the mean time I did create the 3 users with slightly different email accounts so they do not match exactly the old ones. I then was able to add an alias that did match the old addresses so they do essentially have the same email address as before, but as an alias, the actual internet address on the mailbox has a "1" on the end. that is  the only way I was able to get them back in the system. In light of this I assume that the server has no record of the former email address...???...because if it did I would think there would be a conflict. I was able to send email to their accounts from outside our network and it reached all three of them. I just know that in the past if I tried to add a duplicate email address anywhere it would bounce back because it is in two places.
LVL 14

Accepted Solution

ThomasMcA2 earned 1600 total points
ID: 39729607
If they are no longer in the Terminated Users group, but the Effective Access button says they are, then the "group cache" on the server needs to be cleared/reset. Run this console command to clear the cache:
show nlcache reset

Open in new window


Expert Comment

by:Hans Holt, Ph.D.
ID: 39730907
Create the person with a slightly other name - like add a middle name or omit it.
Then you have a new person - that should work.
LVL 15

Expert Comment

ID: 39731541
Did you  manage to get a down time and restart the server then check ??
As I suggested in my previous comment ...
LVL 43

Expert Comment

by:Steve Knight
ID: 39735015
Other things to check.... so you have looked in server names.nsf and under Groups / Deny Access groups and there are no other groups there, no replication conflicts that might have them in etc?

Second, open the server document, in names.nsf into Configuration, Servers, All Server documents and choose the relevant one.

In the second tab "security", look at the "not access server" and "access server".  Any clues from that - maybe a non "deny access" group that has been put in the "not access server", or the other way around, only members of "All users" group can access the server.

It should really only come down to:

1) The user has ID file which is valid and they have password.  Now they can communicate with the server.
2) They have a person document, it has the key in there matching that ID file
3) The server document listed access server / not access server is obeyed, i.e. whichever groups  they should be in, and/or if they are listed as users in the servers document then remove them.

LVL 43

Expert Comment

by:Steve Knight
ID: 39735019
Another good check is set the internet password in their person document and try logging in through as web browser, i.e. http://servername/names.nsf for starters.


Expert Comment

by:Hans Holt, Ph.D.
ID: 39735197
deny-access groups do not deny web access.
If a user have a person document and knows the http-password,hen can get web access even when the name is in a deny access group.
So if there is web access - a deny access group could be the problem.
Notice that there can be several deny access groups.

I have seen errors in the ($users) view stopping access for new users. Rebuild this view to solve that problem.

Author Closing Comment

ID: 39739977
ThomasMcA2, Thank you! It worked fine. I ran the command and waited 24 hours before trying to re-create the user. When I did re-create them they were no longer showing part of the "Terminated" users group and I was able to set up Notes for each of them without getting the denied server access message.

Thank you again!

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem "Can you help me recover my changes?  I double-clicked the attachment, made changes, and then hit Save before closing it.  But when I try to re-open it, my changes are missing!"    Solution This solution opens the Outlook Secure Temp Fold…
Lack of Storage capacity is a common problem that exists in every field of life. Here we are taking the case of Lotus Notes Emails, as we all know that we are totally depend on e-communication i.e. Emails. This article is fully dedicated to resolvin…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question