Domino Consulting - HCL Domino Administrator 11.0.1 Help

SECURING

Assigning password reset authority

Password reset authority authorizes people or applications to reset passwords and to specify ID download counts.

Before you begin

To complete this task you must have the following access:

Administrator access to the server in the HCL Domino® domain
Editor access to the Domino Directory
Physical access to the certifier ID file of each user organization whose passwords will be reset. The certifier ID file is used to issue Password Reset Certificates to the password reset authorities.

Procedure

1. Open the Domino Administrator tool panel used to specify password reset authority. Use any of the following methods:

Open the panel as you create an ID vault: select the Configuration tab, click Tools -> ID Vaults -> Create, and then perform Step f.
Open the panel as you perform other ID vault management tasks: select the Configuration tab and the Security -> ID Vaults view. Select a vault document in the view, click Tools -> ID Vaults -> Manage, and select the task Add or remove password reset authorities.
Select the Configuration tab and click Tools -> ID Vaults -> Password Reset Authority.
Select the People & Groups tab and click Tools -> ID Vaults -> Password Reset Authority.

2. To assign password reset authority, perform the steps that correspond to the type of authority you are assigning.

Table 1. Ways to Assign Password Reset Authority

Type of password reset authority	Steps	Comments
Authority for help desk personnel to reset user passwords through the Domino Administrator	1. From the Password reset authority by organization list select the organization or organizational unit of users whose passwords will be reset. 2. From the list of available users, groups and servers or the list of organization units, select who will be allowed to reset the passwords of users in the organization highlighted in the previous step. 3. Click Add to give the user, group, or organizational unit password reset authority for the organization or organizational unit highlighted. Or click Add To All to give the user, group, or organizational unit password reset authority for all organizations in thePassword reset authority by organization list. 4. Repeat steps a through c as necessary.	Selecting a group creates individual Password Reset Certificates for each current member. Future changes in group membership do not cause corresponding changes to Password Reset Certificates.
Authority for an agent password reset application	1. From the Password reset authority by organization list select the organization or organizational unit of users whose passwords will be reset. 2. From the Available users, groups and servers list, select the name of the user that has signed (or will sign) the application agent. 3. Click Add to give the selected agent signer password reset authority for the organization or organizational unit highlighted. 4. Keep the agent signer name highlighted and select Self-service password reset authority. 5. From the Available users, groups and servers list, select the name of a server or group of servers on which you will deploy the application. 6. Click Add to give the selected server or server group password reset authority for the organization or organizational unit highlighted. 7. Repeat steps as necessary.	The Server document of each authorized server must give the agent signer Sign or run restricted LotusScript/Java agents. A server does not have to have a replica of the vault. To sign the agent, from Domino Designer, switch to the user ID that has or will have password reset authority, click Code -> Agents and double-click, select the agent, and then click Sign. If you select a server group name, a Password Reset Certificate is issued to each server that is currently a member of the group. Future changes in group membership do not cause corresponding changes to Password Reset Certificates. Select Self-service password reset authority for the agent signer even if the users of the application are help desk personnel who will reset passwords for users.
Authority for a non-agent password reset application	1. From the Password reset authority by organization list select the organization or organizational unit of users whose passwords will be reset. 2. From the Available users, groups and servers list, select the name of a user or server under which the application is authorized to run. 3. Click Add to give the selected user or server name password reset authority for the organization or organizational unit highlighted. 4. If you added a user name, keep the user name highlighted, and select Self-service password reset authority. 5. Repeat steps as necessary.	Select Self-service password reset authority for a user name even if the users of the application are help desk personnel who will reset password for users.

Setting up the sample self-service application to allow ID vault users to reset their Notes passwords
A Domino server comes with the Sample Web Agent - Reset User Password application (PwdResetSample.nsf). The application contains a sample LotusScript agent called UserPasswordReset that enables users with IDs stored in an ID vault to reset their Notes passwords from a browser. A user who has forgotten his or her Notes password might do this to specify a new one.

Parent topic: Creating and configuring an ID vault

Related concepts
ID vault password reset security

Help on Help

All Help Contents

Help on Help

All Help Contents