USER AND SERVER CONFIGURATION


Moving a user name in the name hierarchy
When you move a user to a different Organizational Unit, the certifier changes, thus the user's name hierarchy changes. Since the name hierarchy in IBM® Lotus® Domino® and IBM® Lotus® Notes® is part of the user's name, when you move a user to a different certifier you have essentially changed the user's name. You can use the Administration Process to move a user name to a different location (Organizational Unit) in the organization's hierarchical name scheme or to move a name to a different Organization altogether.

For example, if Alice Brown/Marketing/Acme leaves a job in the Marketing department for a job in Sales, you can certify her user ID with the /Sales/Acme certifier, which, in effect, moves her to that Organizational Unit. Her full hierarchical name then becomes Alice Brown/Sales/Acme.

You can also move a user to another Organization, however to do so, your Domino Directory must contain cross-certificates between the Organizations involved. So, for example, if Alice Brown/Marketing/Acme leaves a job at Acme to work for the Acme subsidiary AcmeSub that has its own Organization Certifier, you can certify her ID with the /AcmeSub certifier so that her name becomes Alice Brown/AcmeSub. Using this example, the Domino Directory must have cross-certificates between /Acme and /AcmeSub.

There are two parts to moving a user name:

1. Request the move using the originating certifier.

2. Complete the move by using the target (new) certifier to approve the request and issue the new certificate.

You can use an agent to notify a user of changes to private design elements during a name change by using the Administration Process to perform the name change.

Changing primary and alternate name information during the move

If an alternate name has been assigned, the administrator who performs the approval phase of the move automatically has the option to change primary name information. If an alternate name has not been assigned, you can designate whether the administrator who completes the move can modify primary name fields. To use the Domino alternate name functionality, Domino 5.0.2 or later must be running on all servers involved with the name change, the user's workstation, and the administrator's workstation.

Synchronizing the name change between Notes and Active Directory

While completing the move, you also have the option of synchronizing the name change between IBM® Lotus® Notes® and Active Directory. To do so, select "Rename NT user account" on the Rename Person dialog box.

To move a user name in the name hierarchy

1. To move a user name in the name hierarchy, you must have:

2. From the Domino Administrator, click the People & Groups tab.

3. Click People and select a user name.

4. From the tools pane, click People - Rename.

5. The "Honor old names for up to <x> days" field is set to 21 days by default. You can change that value if desired.

6. Click "Request Move to New Certifier."

7. In the Choose a Certifier dialog box, complete these fields:
FieldAction
ServerDo one of these:
  • If you are using the Lotus Domino server-based CA, choose the server that is used to access the Domino Directory to look up the list of certifiers.
  • If you are supplying a certifier ID, select the server that is used to locate the list of certifiers so that the Certifier ID file can be updated with the latest set of certificates for itself and all of its ancestors. This is also the server on which CERTLOG.NSF is updated.
Supply certifier ID and passwordChoose this option if you are using a certifier ID and password.
  • Choose the certifier ID that certified the user's ID and click Open. For example, to rename Joe Smith/Sales/NYC/ACME, use the certifier ID named SALES.ID.
  • Click "Certifier ID" to select an ID other than the one displayed.
  • Enter the password for the certifier ID and click OK.
Use the CA processChoose this option if you have configured the Lotus Domino server-based CA.
  • Select a CA-configured certifier from the list and click OK.
8. In the Request Move For Selected People dialog box, do the following:
FieldAction
Old CertifierVerify the information. If it is incorrect, cancel the procedure and begin again.
New CertifierEnter or select the new certifier. This is the name hierarchy that issues a certificate for the user in the new hierarchy.

For example, to certify Joe Smith from /Sales/NYC/ACME into /Service/NYC/ACME, enter /Service/NYC/ACME or select from the list.

Edit or inspect each entry before submitting requestSelected by default. Do one:
  • Keep selected. The Rename Person dialog box appears with non-modifiable fields of Primary and Alternate Name information. Review the information for accuracy. Go to Step 9.
  • If you do not want to verify each entry, clear the check box. Review the processing information that displays to verify that all name changes were successful. If any fail, check the Certifier Log to determine the reason for the failure. Go to Step 10, then complete the procedure "To approve the name change."
9. (Optional) Click the "Allow the primary name to be changed when the name is moved" check box if you want the opportunity to change the user's name when you approve the move.

10. For each name selected, choose one of the following:

To complete the name change

1. From the Domino Administrator, click Server - Analysis - Administration Requests.

2. Choose the Name Move Requests view. This view categorizes submissions by certifier. Each name awaiting approval is listed under its new certifier. Select the name(s) to move.

3. Click Complete move for selected entries.

4. To complete the move, in the Choose a Certifier dialog box, make the following selections:
FieldAction
ServerDo one of these:
  • If you are using the Lotus Domino server-based CA, choose the server that is used to access the Domino Directory to look up the list of certifiers.
  • If you are supplying a certifier ID, select the server that is used to locate the list of certifiers so that the Certifier ID file can be updated with the latest set of certificates for itself and all of its ancestors. This is also the server on which CERTLOG.NSF is updated.
Use the CA processChoose this option if you have configured the Lotus Domino server-based CA.
  • Select a CA-configured certifier from the list and click OK.
Supply certifier ID and passwordChoose this option if you are using a certifier ID and password.
  • Choose the certifier ID that certified the user's ID and click Open. For example, to rename Joe Smith/Sales/NYC/ACME, use the certifier ID named SALES.ID.
  • Click "Certifier ID" to select an ID other than the one displayed.
  • Enter the password for the certifier ID and click OK.
5. If you are moving a user name from one hierarchy to another hierarchy, a cross certificate is required. If your local Domino Directory does not contain a cross certificate for the certifier, you are prompted to create one. Click Yes.

6. In the "Certificate Expiration Date" dialog box, do the following and then click OK:
FieldAction
CertifierThe name hierarchy of the certifier that will issue the new certificate (non-modifiable).
New certificate expiration date(Optional) Specify a certifier ID expiration date other than the default two years from the current date.
Edit or inspect each entry before submitting requestSelected by default. You can remove the check mark if you do not want to verify the entries.
7. In the Rename Person dialog box, make changes to the primary name as needed.
FieldAction
New Primary Name Information
First, Middle, and Last NameThis is the name with which the user was registered. Make changes to the user's name as appropriate.
Qualifying Org. Unit(Optional) A name to differentiate this user from another user with the same user name, certified by the same certifier. This adds a differentiating component that appears between the common name and the certifier name.
Short Name(Optional) Created at registration, the default is first initial, last name. You can change this name optionally. It does not change automatically based on changes to the primary name fields. You must make this change manually.
Internet Address(Optional) Created at registration, the default is first initial, last name. You can change this name optionally. It does not change automatically based on changes to the primary name fields. You must make this change manually.
Rename Windows User AccountAvailable to Microsoft® Windows® Active Directory users only. Check this box if you want to synchronize the name change in both the Domino Notes and Active Directory accounts.
8. Complete the following fields as desired. These modifiable fields display only if the user ID has an alternate name assigned to it.
New Alternate Name InformationAvailable only if you are renaming a user whose certifying organization has alternate names assigned.
Common NameThe common name in the alternate language.
Qualifying Org. Unit(Optional) A name to differentiate this user from another user with the same user name, certified by the same certifier. This adds a differentiating component that appears between the common name and the certifier name.
Original LanguageThe alternate language currently assigned to the user (non-modifiable).
New LanguageSelect from the list to assign a new alternate language. This option is available only if the user is moving into an Organizational Unit or Organization that has an alternate language assigned.
9. Choose one of the following:

10. When the Processing Statistics dialog box appears, review the information to verify that all name changes have succeeded. If any fail, check the Certifier Log (certlog.nsf) to determine the reason for the failure. Click OK.

The user name change in hierarchy continues just as a change to a Notes user's common or alternate name is completed.

Related topics