Go Premium for a chance to win a PS4. Enter to Win


Synchronize IBM notes Internet Password with AD

Posted on 2014-12-31
Medium Priority
Last Modified: 2015-01-05
I would like to Synchronize IBM notes Internet Password with AD. Is there a way to do so Domino 9.0.1 FP2 and IBM Notes 9.0.1 FP2
Question by:lberthiaume
  • 5
  • 3
LVL 43

Expert Comment

by:Steve Knight
ID: 40526540
Do you have any link with AD at the moment, and how do the users currently use their notes clients - entering passwords or logged on with the OS?  

You can't sync with what is already in AD as they are encrypted but when a user changes their OS password you can have it change their Notes password and the Internet password can be kept in sync with that using policy.

You may have to be careful then though if you have people with, for example, using Traveler to sync with mobiles, tablets etc. especially if you have internet password lockout configured because then once the password changed the mobile device would use the old password and lock the account out.

Please explain a bit more and will see what can be suggested.

LVL 13

Expert Comment

ID: 40526811

Author Comment

ID: 40527785
I have Shared login and ID vault running.    
From what I know, I would have to use Directory services to synchronize the internet passwords. This in turn would synchronize the internet passwords to AD.
To complicate things I also have a Traveler server which in turn talks to the BES for our blackberries, and would like that to sync with AD.
For now I still don't know if this is still possible and what complications I may run into with Traveler (blackberries).
In other words have everything and anything under one password.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

LVL 43

Expert Comment

by:Steve Knight
ID: 40527801
Hmm, will wait on what other people say for now.

So at the moment the users change their windows domain password presumably based on a policy prompting and requiring them to (and/or when they just feel like it).  As you are using Shared Login rather than client single logon then anything from the client side to sync the password is out, and afaik anything from the AD side too.

So from my mind think your options are:

1. prompt the user in some way to change their internet passwords
2. prompt the user to change their AD and internet passwords at the same time, i.e. script it rather than letting the user change at the OS - e.g. a login script / GPO could prompt for a new password monthly based on password age before they are required to change it also make the change through Notes.

Apart from that maybe you could use your AD logins as an extra directory for logins to HTTP

BES shouldn't be effected but traveler users will of course be with their internet passwords.

Listening for anyone else's better ideas myself, majority of my customers have chosen not to integrate to that level yet.


Author Comment

ID: 40527815
I am still in testing environment phases for now, production will go into as far as I can go.    You  gave me the idea that maybe we can administratively manage the internet passwords and change them ONLY if they need to...

A new script to synchronize Internet password is pretty much beyond me.   Unless there is a script out there that I could "modify" to our needs.
LVL 43

Expert Comment

by:Steve Knight
ID: 40527848
will see what i can find to show you
LVL 43

Accepted Solution

Steve Knight earned 2000 total points
ID: 40528569
Scripting wise pretty well anything is possible of course, except to control the Windows password changing box and the like.  You can soon write the user's internet password assuming they have a suitable access to the directory, e.g. this old script of mine.  Similar could be done as VBScript etc. though this does seem the 'wrong' way to go about it.


Are there common denominators between AD and Notes, e.g. if the shortname on Notes is always the same as their AD login or similar then it is easier to tie it in.  Frankly unless they change their password through something else than the OS itself there is no way of Notes knowing their password to then amend the internet password as with shared login there is no password to sync.

So if the user could be made to change their AD password etc. or even just prompted to enter a new password next time they go into Notes if the AD password age is changed today...  below is bit of login script I wrote for one company that checked the password expiry for the logging in user and advised them to change it for example.  The "objUser.PasswordLastChanged" part could be checked and if just changed advise the user to change their internet password or trigger a script to do it?


Sub CheckExpiry
  DIM objSysInfo, objUser, objDomain, objWShell
  DIM strUserDN, strDomainDN, strUserCN
  DIM maxPwdAge, numDays, daysToExpiration, objPwdExpires

  set objWShell = WScript.CreateObject( "WScript.Shell" )

  SET objSysInfo = CreateObject("ADSystemInfo")
  strUserDN = objSysInfo.UserName
  strDomainDN =  objSysInfo.DomainShortName

  SET objDomain = GetObject("LDAP://" & strDomainDN)
  SET objUser = GetObject("LDAP://" & strUserDN)
  SET objUserName = GetObject("WinNT://" & strDomainDN & "/" & strUserCN,User)

  objPwdExpires = objUserName.Get("UserFlags")
  If (objPwdExpires And &H10000) <> 0 Then 
    Msgbox "User password does not expire"
    Exit Sub

  ' Check the domain policy for password changes:
  SET maxPwdAge = objDomain.Get("maxPwdAge")

  ' Calculate the number of days that are held in this value, add the days to last password set date
  ' and so know how many days until it needs changing

  numDays = CCur((maxPwdAge.HighPart * 2 ^ 32) + maxPwdAge.LowPart) / CCur(-864000000000)
  whenPasswordExpires = DateAdd("d", numDays, objUser.PasswordLastChanged)
  daysToExpiration = DateDiff("d", Now(),whenPasswordExpires)

  MsgBox "Password expires on " & whenPasswordExpires & " ( " & daysToExpiration & " days )"

  IF daystoExpiration <=1 THEN
     msgbox "PLEASE CHANGE YOUR PASSWORD." & CR & CR & "Unless you change your password today you may lock your account out 

as it expires at " & whenPasswordExpires & CR & CR & "Plase press Control-Alt-Delete and choose Change Password now.", 

16+0,"PASSWORD EXPIRES on " & whenPasswordExpires
    IF daystoExpiration <=5 THEN msgbox "Please note you have " & daystoexpiration & " days left to change your password.  

Please change before then to avoid locking your account." ,48+0,"PASSWORD EXPIRES on " & whenPasswordExpires
End Sub

Open in new window


Author Closing Comment

ID: 40531401
Thanks for your help
LVL 43

Expert Comment

by:Steve Knight
ID: 40531718
Well sorry I didn't come up with an easy fix.... perhaps you could post back as your project goes on with feedback and hopefully we can help with any other issues.


Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question