Restoring user ID files using ID vault
The ID vault is a Domino database that stores copies of user ID files. This allows Domino to be able to restore user ID files and to reset user account passwords. One Identity Manager provides a process for resetting the passwords in the ID vault.
Prerequisites
-
The Domino server that communicates with the gateway server, is also the ID vault server.
-
There are running permissions defined for agents for the synchronization user account. For more information, see Running restricted LotusScript/Java agents.
-
ID vault database permissions for the synchronization user account are set to: Manager access function and Auditor role. For more detailed information, see your Domino documentation.
-
Permissions for restoring passwords of the synchronization administrative user account and the ID vault server are set. For more detailed information, see your Domino documentation.
To use the ID vault
-
In the Manager, select the HCL Domino > Domains category.
-
Select the domain you want to use for the ID vault in the result list and run the Change main data task.
-
Set the ID vault enabled option.
This setting effects all user accounts in the domain.
- Save the changes.
NOTE: If certain user accounts are excluded from the ID vault by the ID vault policy in Domino, the password cannot be reset by One Identity Manager.
In order to ensure the passwords for all user accounts in a domain can be reset, assign a policy for ID Vault that cover the whole organization.
When a new user account is published in Domino, One Identity Manager saves the initial password in the One Identity Manager database (NDOUser.PasswordInitial). This initial password is used when a user account password needs to be reset. Passwords are saved automatically for user accounts that are initially setup in One Identity Manager. The initial password for all other user accounts has to be transferred to the One Identity Manager database by a customized process.
To reset a user account password
-
In the Manager, select the HCL Domino > User accounts category.
-
Select the user account in the result list.
-
Select the ID restore task.
This task starts the NDO_NDOUser_PWReset_from_Vault process. This process replaces the password from the user ID file saved in the ID Vault with the initial password from the One Identity Manager database. If the user is logged into the Notes client at this point, the user‘s local ID file is replaced with the update copy from the ID Vault. The user has to login with the initial password when the Notes client is started the next time. If the user is not logged into the Notes client when the password is reset, the updated ID file must be provided separately.
Once the password has been successfully reset, the user must be provided with initial password and the ID file if necessary. This process has to be customized to meet your needs.
Restoring user ID files through ID restore
ID restore is a One Identity Manager mechanism that can be used when a user has forgotten his password or the ID file itself has been lost. If the user ID file is restored with the ID restore procedure, the full name of the user account and the display name are determined from the user account name, organizational unit and certificate.
The following information is required to run an ID restore:
-
An ID file that is initially imported into the database including the associated password (NotesUser.NotesID, NotesUser.PasswordInitial)
-
The certifier that the initial ID file was created with (NotesUser.UID_NotesCertifierInitial)
-
A copy of the initially loaded or added person document in the gateway server’s archive database archiv.nsf
-
The GUID of the document copy in the archive database (NotesUser.ObjectGUID_Archiv)
This data is automatically generated and saved for the user accounts that were added in the One Identity Manager. A one-off custom import of the files mentioned above has to be run for all other user accounts.
To restore the user ID file
-
In the Manager, select the HCL Domino > User accounts category.
-
Select the user account in the result list.
-
Select the ID restore task.
The ID restore process carries out the following steps:
-
Deletes all current person documents from the Domino directory.
-
Copies initial person documents from archive database to the Domino directory.
-
Exports the initially saved ID files to the gateway server.
-
Starts the AdminP request to track the changes made to the original ID up until now. This includes changes to the components of the user’s name, changes to the ID expiry date and exchanging certifiers.
-
Update the restored person document using the known values.
- If the ID file is restored, provide the user with the ID file and the initial password.
Related topics
Locking and unlocking Notes user accounts
A user is considered to be locked in Domino if it is no longer possible for the user to log on to a server in the domain with this user account. The user loses access to the mailbox file through this. Access to a server can be prevented if the user account has the Not access server permissions type for the corresponding server document. This is very complicated in environments with several servers because a user account, which is going to be locked, must be given this permissions type for every server document.
For this reason, denied access groups are used. Each denied access group initially gets the Not access server permissions type for each server document. A user that is going to be locked becomes a member of the denied access group and therefore is automatically prevented from accessing the domain servers.
The way you lock user accounts depends on how they are managed.
Scenario: The user accounts are linked to identities and are managed through account definitions.
User accounts managed through account definitions are locked when the identity is temporarily or permanently disabled. The behavior depends on the user account manage level. Accounts with the Full managed manage level are disabled depending on the account definition settings. For user accounts with a manage level, configure the required behavior using the template in the NDOUser.AccountDisabled column.
Scenario: The user accounts are linked to identities. No account definition is applied.
User accounts managed through user account definitions are locked when the identity is temporarily or permanently disabled. The behavior depends on the QER | Person | TemporaryDeactivation configuration parameter
-
If the configuration parameter is set, the identity’s user accounts are locked when the identity is permanently or temporarily disabled.
-
If the configuration parameter is not set, the identity’s properties do not have any effect on the associated user accounts.
To lock the user account when the configuration parameter is disabled
-
In the Manager, select the HCL Domino > User accounts category.
-
Select the user account in the result list.
-
Select the Change main data task.
-
On the General tab, set the Account is disabled option.
- Save the changes.
Scenario: The user accounts are not linked to identities.
To lock a user account that is no longer linked to an identity
-
In the Manager, select the HCL Domino > User accounts category.
-
Select the user account in the result list.
-
Select the Change main data task.
-
On the General tab, set the Account is disabled option.
- Save the changes.
The user account becomes anonymous when it is locked and is not shown in address books. Access to Notes servers is removed. The TargetSystem | NDO | MailBoxAnonymPre configuration parameter is checked if the user is made anonymous.
To unlock a user account
-
In the Manager, select the HCL Domino > User accounts category.
-
Select the user account in the result list.
-
Select the Change main data task.
-
Disable the Account is disabled option on the General tab.
- Save the changes.
Anonymity is rescinded and the user account removed from denied access groups.
Detailed information about this topic
Related topics
Deleting and restoring Notes user accounts
NOTE: As long as an account definition for an employee is valid, the employee retains the user account that was created by it. If the account definition assignment is removed, the user account that was created from this account definition, is deleted.
You can delete a user account that was not created using an account definition through the result list or from the menu bar. After you have confirmed the security alert the user account is marked for deletion in the One Identity Manager. Depending on the deferred deletion setting, the user account is either deleted immediately from the address books and the One Identity Manager database or at a later date.
For more information about deactivating and deleting employees and user accounts, see the One Identity Manager Target System Base Module Administration Guide.
To delete a user account that is not managed using an account definition
-
In the Manager, select the HCL Domino > User accounts category.
-
Select the user account in the result list.
- Click in the result list.
- Confirm the security prompt with Yes.
To restore a user account
-
In the Manager, select the HCL Domino > User accounts category.
-
Select the user account in the result list.
-
Click in the result list.
Related topics