The ID Vault is a IBM Domino database that stores copies of user ID files. This allows IBM Notes to be able to restore user ID files and to reset user account passwords. The One Identity Manager provides a process for resetting the passwords in the ID vault.
To use the ID vault
This setting effects all user accounts in the domain.
NOTE: If certain user accounts are excluded from the ID vault by the ID vault policy in IBM Notes, the password cannot be reset by One Identity Manager.
In order to ensure the passwords for all user accounts in a domain can be reset, assign a policy for ID Vault that cover the whole organization.
When a new user account is published in the IBM Notes environment the One Identity Manager saves the initial password in the One Identity Manager database (NotesUser.PasswordInitial). This initial password is used when a user account password needs to be reset. Passwords are saved automatically for user accounts that are initially setup in the One Identity Manager. The initial password for all other user accounts has to be transferred to the One Identity Manager database with a customized process.
To reset a user account password
This task starts the process NDO_NDOUser_PWReset_from_Vault. The password from the user ID file saved in ID Vault is replaced by the initial password from the One Identity Manager database by this process. If the user is logged into the IBM Notes client at this point, the user‘s local ID file is replaced with the update copy from the ID Vault. The user has to login with the initial password when the IBM Notes client is started the next time. If the user is not logged into the IBM Notes client when the password is reset, the updated ID file must be provided separately.
Once the password has been successfully reset, the user must be provided with initial password and the ID file if necessary. This process has to be customized to meet your needs.
ID restore is a One Identity Manager mechanism that can be used when a user has forgotten his password or the ID file itself has been lost. If the user ID file is restored with the ID restore procedure, the full name of the user account and the display name are determined from the user account name, organizational unit and certificate.
The following information is required to run an ID restore:
This data is automatically generated and saved for the user accounts that were added in the One Identity Manager. A one-off custom import of the files mentioned above has to be run for all other user accounts.
To restore the user ID file
The ID restore process carries out the following steps:
|TargetSystem\NDO\MailBoxAnonymPre||Prefix for user account anonymity.|
|QER\Person\TemporaryDeactivation||This configuration parameter specifies whether user accounts for an employee are locked if the employee is temporarily or permanently disabled.|
A user is considered to be locked in IBM Notes if it is no longer possible for the user to log on to a server in the domain with this user account. The user loses access to the mailbox file through this. Access to a server can be prevented if the user account has the permissions type "Not access server" for the corresponding server document. This is very complicated in environments with several servers because a user account, which is going to be locked, must be given this permissions type for every server document.
For this reason, denied access groups are used. Each denied access group initially gets the permissions type "Not access server" for each server document. A user that is going to be locked becomes a member of the denied access group and therefore is automatically prevented from accessing the domain servers.
The way you
User accounts managed through account definitions are
User accounts managed through user account definitions are
To lock a user account when the configuration parameter is disabled
To lock a user account, which is not linked to an employee
The user account becomes anonymous when it is locked and is not shown in address books. Access to Notes servers is removed. The configuration parameter "TargetSystem\NDO\MailBoxAnonymPre" is checked if the user is made anonymous.
To unlock a user account
Anonymity is rescinded and the user account removed from denied access groups.
If a user account is deleted in One Identity Manager, it is initially marked for deletion. The user account is therefore locked. Depending on the deferred deletion setting, the user account is either deleted immediately from the address books and One Identity Manager database or at a later date.
|NOTE: As long as an account definition for an employee is valid, the employee retains the user account that was created by it. If the account definition assignment is removed, the user account created through this account definition, is deleted.|
To delete a user account
To restore user account
By default, user accounts are finally deleted from the database after 30 days.The user accounts are initially disabled. You can reenable the user accounts until deferred deletion is run. After deferred deletion is run, the user account are deleted from the database and cannot be restored anymore. You can configure an alternative deletion delay on the table NDOUser in the Designer.