Synchronize IBM notes Internet Password with AD

I would like to Synchronize IBM notes Internet Password with AD. Is there a way to do so Domino 9.0.1 FP2 and IBM Notes 9.0.1 FP2
Who is Participating?
Steve KnightConnect With a Mentor IT ConsultancyCommented:
Scripting wise pretty well anything is possible of course, except to control the Windows password changing box and the like.  You can soon write the user's internet password assuming they have a suitable access to the directory, e.g. this old script of mine.  Similar could be done as VBScript etc. though this does seem the 'wrong' way to go about it.

Are there common denominators between AD and Notes, e.g. if the shortname on Notes is always the same as their AD login or similar then it is easier to tie it in.  Frankly unless they change their password through something else than the OS itself there is no way of Notes knowing their password to then amend the internet password as with shared login there is no password to sync.

So if the user could be made to change their AD password etc. or even just prompted to enter a new password next time they go into Notes if the AD password age is changed today...  below is bit of login script I wrote for one company that checked the password expiry for the logging in user and advised them to change it for example.  The "objUser.PasswordLastChanged" part could be checked and if just changed advise the user to change their internet password or trigger a script to do it?


Sub CheckExpiry
  DIM objSysInfo, objUser, objDomain, objWShell
  DIM strUserDN, strDomainDN, strUserCN
  DIM maxPwdAge, numDays, daysToExpiration, objPwdExpires

  set objWShell = WScript.CreateObject( "WScript.Shell" )

  SET objSysInfo = CreateObject("ADSystemInfo")
  strUserDN = objSysInfo.UserName
  strDomainDN =  objSysInfo.DomainShortName

  SET objDomain = GetObject("LDAP://" & strDomainDN)
  SET objUser = GetObject("LDAP://" & strUserDN)
  SET objUserName = GetObject("WinNT://" & strDomainDN & "/" & strUserCN,User)

  objPwdExpires = objUserName.Get("UserFlags")
  If (objPwdExpires And &H10000) <> 0 Then 
    Msgbox "User password does not expire"
    Exit Sub

  ' Check the domain policy for password changes:
  SET maxPwdAge = objDomain.Get("maxPwdAge")

  ' Calculate the number of days that are held in this value, add the days to last password set date
  ' and so know how many days until it needs changing

  numDays = CCur((maxPwdAge.HighPart * 2 ^ 32) + maxPwdAge.LowPart) / CCur(-864000000000)
  whenPasswordExpires = DateAdd("d", numDays, objUser.PasswordLastChanged)
  daysToExpiration = DateDiff("d", Now(),whenPasswordExpires)

  MsgBox "Password expires on " & whenPasswordExpires & " ( " & daysToExpiration & " days )"

  IF daystoExpiration <=1 THEN
     msgbox "PLEASE CHANGE YOUR PASSWORD." & CR & CR & "Unless you change your password today you may lock your account out 

as it expires at " & whenPasswordExpires & CR & CR & "Plase press Control-Alt-Delete and choose Change Password now.", 

16+0,"PASSWORD EXPIRES on " & whenPasswordExpires
    IF daystoExpiration <=5 THEN msgbox "Please note you have " & daystoexpiration & " days left to change your password.  

Please change before then to avoid locking your account." ,48+0,"PASSWORD EXPIRES on " & whenPasswordExpires
End Sub

Open in new window

Steve KnightIT ConsultancyCommented:
Do you have any link with AD at the moment, and how do the users currently use their notes clients - entering passwords or logged on with the OS?  

You can't sync with what is already in AD as they are encrypted but when a user changes their OS password you can have it change their Notes password and the Internet password can be kept in sync with that using policy.

You may have to be careful then though if you have people with, for example, using Traveler to sync with mobiles, tablets etc. especially if you have internet password lockout configured because then once the password changed the mobile device would use the old password and lock the account out.

Please explain a bit more and will see what can be suggested.

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

lberthiaumeAuthor Commented:
I have Shared login and ID vault running.    
From what I know, I would have to use Directory services to synchronize the internet passwords. This in turn would synchronize the internet passwords to AD.
To complicate things I also have a Traveler server which in turn talks to the BES for our blackberries, and would like that to sync with AD.
For now I still don't know if this is still possible and what complications I may run into with Traveler (blackberries).
In other words have everything and anything under one password.
Steve KnightIT ConsultancyCommented:
Hmm, will wait on what other people say for now.

So at the moment the users change their windows domain password presumably based on a policy prompting and requiring them to (and/or when they just feel like it).  As you are using Shared Login rather than client single logon then anything from the client side to sync the password is out, and afaik anything from the AD side too.

So from my mind think your options are:

1. prompt the user in some way to change their internet passwords
2. prompt the user to change their AD and internet passwords at the same time, i.e. script it rather than letting the user change at the OS - e.g. a login script / GPO could prompt for a new password monthly based on password age before they are required to change it also make the change through Notes.

Apart from that maybe you could use your AD logins as an extra directory for logins to HTTP

BES shouldn't be effected but traveler users will of course be with their internet passwords.

Listening for anyone else's better ideas myself, majority of my customers have chosen not to integrate to that level yet.

lberthiaumeAuthor Commented:
I am still in testing environment phases for now, production will go into as far as I can go.    You  gave me the idea that maybe we can administratively manage the internet passwords and change them ONLY if they need to...

A new script to synchronize Internet password is pretty much beyond me.   Unless there is a script out there that I could "modify" to our needs.
Steve KnightIT ConsultancyCommented:
will see what i can find to show you
lberthiaumeAuthor Commented:
Thanks for your help
Steve KnightIT ConsultancyCommented:
Well sorry I didn't come up with an easy fix.... perhaps you could post back as your project goes on with feedback and hopefully we can help with any other issues.

All Courses

From novice to tech pro — start learning today.