Resetting a Lotus Notes password

Resetting a password

Most of what is written about ID/password recovery (including my own articles) concerns how to set it up correctly. In practice, however, the feature is most common used to reset a forgotten password or restore a corrupted ID. The Notes documentation on these operations can be confusing, due to different meanings of the word "password."

There are two key ideas for users to understand about password reset.

1. You will be entering a string of characters given to you by a Notes administrator. This string of characters is neither your password nor the administrator's password, but a special token, whose purpose is simply to let you set a new password. The Notes documentation calls this token the "recovery password," which has confused some users and administrators, who attempt to enter the administrator's password.

2. You are not recovering the password you forgot. You are unlocking the ID so that you can reset the password to a new value.

A user who forgets their password should take the following steps:

1. Start Notes normally.
2. When prompted for the password (which you do not know) press Enter.
3. Notes will show a dialog box stating that an incorrect password was entered. Press the button marked Recover Password.
4. Select the ID file to reset. For this step, you must know the location of your ID file. It is usually called user.id or firstname_lastname.id, and is usually in the Notes\Data directory. In some organizations, the ID files are all kept in a shared network folder.
5. You will see a list of "recovery administrators" -- people who can help you reset your password. The dialog box will also show you how many of these people you must call to complete the reset process.
6. Call some of the administrators listed and ask them for your recovery password. Write down the recovery passwords carefully -- they are usually 16 characters long.
7. Enter the recovery password(s) given to you by your administrator(s) in the "Enter Passwords" dialog box. When you have done so correctly, your ID will be unlocked and you will be prompted to enter a new Notes password.
8. If you maintain more than one copy of your Notes ID file (e.g., on a laptop or USB memory stick), be sure to replace those copies with the updated ID file containing your new password.

To help a user reset a Notes ID password, an administrator should take the following steps:

1. When a user calls asking for a recovery password, go to the server-based ID Recovery database.
2. Find the latest backup ID for that user, and detach it to a temporary directory. The name of the file will usually be ~~tmpid.ide.
3. Using Domino Administrator, choose the option Configuration / Certification / Extract Recovery Password. Enter your own password when prompted.
4. You will be shown the recovery password for this user. It is usually 16 characters long, so read it carefully to the user.

Recovering an ID file

Recovering a lost or corrupted ID file is the same as resetting the password for an existing ID file, with one addition. Before the process can begin, ask a Notes administrator to send you the latest encrypted backup copy of your ID file (from the ID Recovery database).

Since you are locked out of your Notes workstation, the administrator cannot simply send the ID to you by e-mail. You will need to retrieve the backup ID file either by going to the administrator's office, using a co-worker's e-mail account or by getting the file put on a diskette or CD and having it sent to you by snail mail.

Once you have the backup ID file, install it into the Notes\ Data directory on your computer. If the file comes to you with a temporary name, such as ~~tmpid.ide, you should rename it to something more meaningful, such as firstname_lastname.id.

(If all IDs are stored in a shared network folder, the administrator may do some of these steps for you, by placing the ID file directly in the network folder. In some cases, administrators can put the ID file directly onto your C drive.)

Password reset can now proceed just as outlined above, as if you had forgotten the password for the ID.

Backup IDs in recovery database

When an administrator makes changes to recovery information in a certifier, that information is pushed out to each user's ID file. In turn, a new encrypted backup copy of the ID file is sent from each user to the ID Recovery database on the server. Both of these operations happen silently and automatically. In some instances, however, administrators have reported that Notes takes a long time to send users' backup ID files to the ID Recovery database. If this is the case, here are some tricks that may move things along.

• Each user's client location document must be set up correctly, pointing to their correct home/mail server, with correct settings on the Mail tab of the location document.
• In order for the backup ID to be sent to the server, Each user's Notes client must be idle for 10 minutes, after connecting to their home server, with no dialogs open.
• Each user's ID file must be stored on a local drive and must be writable. (There is conflicting information about whether the backup ID process supports ID files stored on shared network folders. I would assume that network folders are supported, but you should be aware of this question in the event you have unexplained problems.)
• If a user has left their workstation on for many days without the backup ID process completing, they should restart it.
• As a last resort, users can manually change their password, which may bump Notes to send their backup ID to the server.

Notes/Domino R7 contains two useful additions to the password recovery feature. The first is that the length of the recovery password is configurable, so it can be less than 16 characters. This is helpful if the users in your organization often forget their passwords, and if you are willing to sacrifice some security for convenience. The second enhancement is that there is better logging of Notes client operations during the silent process of sending new recovery information to user ID files, and the transmission of new backup IDs to the server. These log entries are found in the local log.nsf on each user's workstation.

One final word of advice that applies to all versions of Notes/Domino: Certifiers themselves, whether top-level or organization unit, cannot be reset by password recovery. So be sure to remember those certifier passwords. For further information, you can check out Domino Administrator 7 Help / Index / IDs / Recovering or Notes 7 Help / Index / Passwords / Recovering.

Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes.

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Domino How to upgrade to Lotus Notes 8 and retain Lotus Notes 7 Five Domino domain default server settings you should change and why How DirLint verifies data in Lotus Notes Domino 8 directories An introduction to Lotus Notes password options and essentials Tivoli Directory Integrator synchronizes Notes Domino 8 directories Setting up RSS feeds in Lotus Notes Domino 8 Secure Lotus Notes 8 with the Internet password lockout feature Troubleshoot Lotus Notes Out of Office (OOO) agent error messages A batch file for Lotus Notes Domino maintenance on Windows Server 2003 Avoid Lotus Notes Domino email archiving ACL issues with AdminP Desktop Fix Lotus Notes 8.0 issues when launching Microsoft Office applications Use a notes.ini setting to adjust font sizes in Lotus Notes Quickly create a Notes/Domino event handler Remove unnecessary bookmark icons Toolbar tip to improve R6 performance Managing ND6 client stability with Automatic Diagnostic Collection Repair local databases on desktop Time saver for switching to the same ID Roaming Notes Running Notes 6 on Windows 2000 Lotus Notes Domino Password Management An introduction to Lotus Notes password options and essentials Secure Lotus Notes 8 with the Internet password lockout feature Lotus Notes Domino password management tips Cracked users' HTTP passwords still a threat on many Lotus Notes R6 and R7 domains Multiple new Sober variants spy on passwords FAQ: Lotus Notes Domino password issues Hashing out stronger password authentication Options for changing passwords How can I set password expiration without locking out accounts? Change default password before sending to user RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.