Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Synchronize IBM notes Internet Password with AD

Posted on 2014-12-31
Medium Priority
Last Modified: 2015-01-05
I would like to Synchronize IBM notes Internet Password with AD. Is there a way to do so Domino 9.0.1 FP2 and IBM Notes 9.0.1 FP2
Question by:lberthiaume
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 43

Expert Comment

by:Steve Knight
ID: 40526540
Do you have any link with AD at the moment, and how do the users currently use their notes clients - entering passwords or logged on with the OS?  

You can't sync with what is already in AD as they are encrypted but when a user changes their OS password you can have it change their Notes password and the Internet password can be kept in sync with that using policy.

You may have to be careful then though if you have people with, for example, using Traveler to sync with mobiles, tablets etc. especially if you have internet password lockout configured because then once the password changed the mobile device would use the old password and lock the account out.

Please explain a bit more and will see what can be suggested.

LVL 13

Expert Comment

ID: 40526811

Author Comment

ID: 40527785
I have Shared login and ID vault running.    
From what I know, I would have to use Directory services to synchronize the internet passwords. This in turn would synchronize the internet passwords to AD.
To complicate things I also have a Traveler server which in turn talks to the BES for our blackberries, and would like that to sync with AD.
For now I still don't know if this is still possible and what complications I may run into with Traveler (blackberries).
In other words have everything and anything under one password.
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

LVL 43

Expert Comment

by:Steve Knight
ID: 40527801
Hmm, will wait on what other people say for now.

So at the moment the users change their windows domain password presumably based on a policy prompting and requiring them to (and/or when they just feel like it).  As you are using Shared Login rather than client single logon then anything from the client side to sync the password is out, and afaik anything from the AD side too.

So from my mind think your options are:

1. prompt the user in some way to change their internet passwords
2. prompt the user to change their AD and internet passwords at the same time, i.e. script it rather than letting the user change at the OS - e.g. a login script / GPO could prompt for a new password monthly based on password age before they are required to change it also make the change through Notes.

Apart from that maybe you could use your AD logins as an extra directory for logins to HTTP

BES shouldn't be effected but traveler users will of course be with their internet passwords.

Listening for anyone else's better ideas myself, majority of my customers have chosen not to integrate to that level yet.


Author Comment

ID: 40527815
I am still in testing environment phases for now, production will go into as far as I can go.    You  gave me the idea that maybe we can administratively manage the internet passwords and change them ONLY if they need to...

A new script to synchronize Internet password is pretty much beyond me.   Unless there is a script out there that I could "modify" to our needs.
LVL 43

Expert Comment

by:Steve Knight
ID: 40527848
will see what i can find to show you
LVL 43

Accepted Solution

Steve Knight earned 2000 total points
ID: 40528569
Scripting wise pretty well anything is possible of course, except to control the Windows password changing box and the like.  You can soon write the user's internet password assuming they have a suitable access to the directory, e.g. this old script of mine.  Similar could be done as VBScript etc. though this does seem the 'wrong' way to go about it.

Are there common denominators between AD and Notes, e.g. if the shortname on Notes is always the same as their AD login or similar then it is easier to tie it in.  Frankly unless they change their password through something else than the OS itself there is no way of Notes knowing their password to then amend the internet password as with shared login there is no password to sync.

So if the user could be made to change their AD password etc. or even just prompted to enter a new password next time they go into Notes if the AD password age is changed today...  below is bit of login script I wrote for one company that checked the password expiry for the logging in user and advised them to change it for example.  The "objUser.PasswordLastChanged" part could be checked and if just changed advise the user to change their internet password or trigger a script to do it?


Sub CheckExpiry
  DIM objSysInfo, objUser, objDomain, objWShell
  DIM strUserDN, strDomainDN, strUserCN
  DIM maxPwdAge, numDays, daysToExpiration, objPwdExpires

  set objWShell = WScript.CreateObject( "WScript.Shell" )

  SET objSysInfo = CreateObject("ADSystemInfo")
  strUserDN = objSysInfo.UserName
  strDomainDN =  objSysInfo.DomainShortName

  SET objDomain = GetObject("LDAP://" & strDomainDN)
  SET objUser = GetObject("LDAP://" & strUserDN)
  SET objUserName = GetObject("WinNT://" & strDomainDN & "/" & strUserCN,User)

  objPwdExpires = objUserName.Get("UserFlags")
  If (objPwdExpires And &H10000) <> 0 Then 
    Msgbox "User password does not expire"
    Exit Sub

  ' Check the domain policy for password changes:
  SET maxPwdAge = objDomain.Get("maxPwdAge")

  ' Calculate the number of days that are held in this value, add the days to last password set date
  ' and so know how many days until it needs changing

  numDays = CCur((maxPwdAge.HighPart * 2 ^ 32) + maxPwdAge.LowPart) / CCur(-864000000000)
  whenPasswordExpires = DateAdd("d", numDays, objUser.PasswordLastChanged)
  daysToExpiration = DateDiff("d", Now(),whenPasswordExpires)

  MsgBox "Password expires on " & whenPasswordExpires & " ( " & daysToExpiration & " days )"

  IF daystoExpiration <=1 THEN
     msgbox "PLEASE CHANGE YOUR PASSWORD." & CR & CR & "Unless you change your password today you may lock your account out 

as it expires at " & whenPasswordExpires & CR & CR & "Plase press Control-Alt-Delete and choose Change Password now.", 

16+0,"PASSWORD EXPIRES on " & whenPasswordExpires
    IF daystoExpiration <=5 THEN msgbox "Please note you have " & daystoexpiration & " days left to change your password.  

Please change before then to avoid locking your account." ,48+0,"PASSWORD EXPIRES on " & whenPasswordExpires
End Sub

Open in new window


Author Closing Comment

ID: 40531401
Thanks for your help
LVL 43

Expert Comment

by:Steve Knight
ID: 40531718
Well sorry I didn't come up with an easy fix.... perhaps you could post back as your project goes on with feedback and hopefully we can help with any other issues.


Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question