Ask the Experts Q&A session: Managing Domino - Policies are your friend! - 13 May 2014 (Audio Replay and Q&A)
IBM hosted an Ask the Experts Q&A session on May 13, 2014. The topic was "Managing Domino - Policies are your friend! ." Jana Medlin gave a short demo and she was joined by Mark Skurla and several other members of the Domino Support and Development teams for Q&A.
- 49:23 minutes long
- Q&A begins at 8:35
- Using Auto-populated groups
- Frequently Asked Questions About Dynamic Client Configuration (DCC)
- Self-Training: Troubleshooting Domino policies and settings documents
- Debug Decision Tree: Notes & Domino Policy Troubleshooting Flowchart
- Machine-specific policy settings
- Domino Policy Precedence Explained
- Wiki articles: http://www-10.lotus.com/ldd/dominowiki.nsf/xpViewTags.xsp?categoryFilter=Policies
- Dynamic Client Configuration & Timing
- Mail & Custom policies
- General Administration
Dynamic Client Configuration & Timing
Q1. Is there any documentation for ndyncfg ?
ndyncfg is also referred to as "Dynamic Client Configuration" or "DCC".
- Technote 1137728 - Known Policy issues with Dynamic Client Configuration
- Technote 1137646 - Dynamic Client Configuration does not run or update Location documents
- Technote 1162306 - Troubleshooting difficulties with applying policies in Notes/Domino
Q2. Is there a way to force policy updates to users? We have users who never exit their Notes client until their password expires.
You can force a policy to users by dropping the users from the Admin client and when they authenticate with the server, the DCC will run to pull-down the policy.
Q3. Issuing " C:\Program Files (x86)\ibm\Lotus\Notes>ndyncfg 0x20" returns "Lotus Notes: error 0x1A5"
Can't find notes.ini. Go to directory with notes.ini and launch from there with full path, or put in path.
Q4. We use the Notes client for app hosting only. Our users don't interact with the mail server. I've got the command line working to force the dynconfig to run but outside of sending out some sort of batch file and forcing users to run it. Is there a way to run a similar command via LotusScript, or enforcing it to run? What I'd really like is the equivalent of a Program document but have it run monthly on the client. Is there something like that I can do?
- There is LotusScript that can be used to clean out the dynamic configuration profile for the users. That was also listed in my SlideShare presentation @ http://www.slideshare.net/MarkSkurla/connect-2014-id112-domino-policies-deep-dive-and-best-practices
- We'll have to research this with the client team.
Q5a. When you use a Dynamic policy, what is the time when can you expect that to be pushed down to the client?
Policies get applied when a user re-authenticates with their client. So if you were to change a policy, once the user logs out and then logs back in, then that policy should be pulled down again, any updates to that policy should be pulled down, and what you'll see in that status bar is "Notes Configuration Settings has been refreshed." Once you see that then you should see the new policies take effect.
The timing of policy execution is always a question and is a complicated answer because, for example, policy changes are always recommended to be made on the Admin server of the domain. then that change has to replicate out to the home mail server of the user, then the View index has to be rebuilt, which is usually once a minute, and then the user has to connect with a fresh session. So for example if you change the policy at noon and the user was logged in at 8AM that day, until they log out and back in, they're not going to see it.
NOTE: That rule doesn't apply to mail policies. Mail policies are done via AdminP and that's an every 12 hour thing, so you can force that by issue Tell AdminP Process Mail Policy on the server console once you've set up your mail policy to push out to all of your users. The Mail Traveler is also another one that goes through AdminP.
Q5b Couldn't the Admin issue a Drop All on the Mail server if they wanted to force a re-authentication to occur?
Yes, they could.
Q5c. Oh really, so it's NOT restarting the Notes client, it's just making a new Notes session.
Right, it has to be a fresh session. Basically when you do a fresh connection, the dynamic configuration handshake occurs and that only occurs on that fresh handshake, so that's what you're actually forcing there.
Q6. So a Drop All would be a way to kind of push policy?
Right, What you could do , for example, if you wanted to really force it is you could refresh the policy view in the Domino Directory via the client or via Load Updall names.nsf -t $policies -r and that would rebuild the $policies view. then you could do the Drop All. What that does is it makes fresh connections happen and it makes the $Policies view have been updated and then that forces a policy update for everybody.
Q7. Have you documented the loading of ndynconfig on the client with the command line argument?
- It's available in the policy presentation that I did at Connect, that's been updated to SlideShare. ID112 Domino Policies Deep Dive and Best Practices @ http://www.slideshare.net/MarkSkurla/connect-2014-id112-domino-policies-deep-dive-and-best-practices
- If you happened to be on a user's client and you wanted to force a policy refresh or reload, you could actually just run ndynconfig (user obviously has to be logged in with their Notes client) in a command prompt with a command line argument (ndyncfg 0x20) and that would force a policy reload. For example, you could do this if you were as an admin troubleshooting with a user and you wanted to work with them directly to make sure they had the latest policy loaded you could do that.
Mail & Custom policies
Q8. If changing Mail Settings, does the 'Tell Adminp Process Mail Policy need to be run from the Admin server, or can you run it from the home mail server once the changes have replicated?
It should be run on the mail server end, also you're right to ensure the replication has occurred from the server where you did modify the policies (admin server) to the mail server.
Q9. We've been trying to apply a Message Recall policy. We want users not to be able to disable message recall, so that it's always possible for users internally to be able to recall messages sent in error. We created a Mail Settings policy and we set up the settings that other users are allowed to recall messages they sent to these users and we set prevent changes. I just heard a few minutes ago about mail policies being applied every 12 hours. We actually saw the documentation and we even tried to force it using Tell Adminp Process Mail Policy. I saw the policies coming to the Notes client, opened $Policies view and saw it come in there, and saw the Notes configuration being refreshed.
However, whenever I go to the Mail Preferences (I left it disabled on purpose to see if it would be re-enabled), the setting is still disabled, It's like the policy had no effect, even a few days after it's been applied. What else can I check before opening a PMR?
- The key thing is that even though the mail policy comes down to the client, it actually only the AdminP part that matters. It takes effect in the mail file. Examine the Calendar Profile on the mail file for the value. If it's not present there, then it won't be in the Mail Preferences area. If you've done Tell AdminP Process Mail and it's not taking effect there, then it's an AdminP issue. And in that case, open a PMR.
- The only thing I've ever seen on the AdminP side is sometimes if you have a lot of people on your directory, there is a name lookup limit, which is 1MB. I have seen cases where people don't see mail policies applied, and when they run Tell AdminP Process Mail, it says that zero databases were updated. So if you do that and see that zero databases were updated, look to see if you have a namelookup error that preceded it. In which case, there is an ini that could be set to extend that limit.
Q10. I'm wondering how Mail policies are applied to mail-in databases? We have mail-in databases that are getting Mail policies applied to them for archiving, for example.
Not actually aware of mail policies being applied to mail-in databases. What's in the Mail File Owner field, because you have to apply the mail policy to a person? So if there's a person's name in the mail file owner field of that mail-in database, then that's how it's applying it. For further assistance, open a PMR.
Q11. Is there a way through a policy or some other means that you could push out LotusScript to run for every user just once?
No. Mainly policies are to push out settings, account information, and INIs. We don't have any place to put LotusScript information.
Q12. I don't see anywhere in policies where you can do that much manipulation of Locations.
Location document settings are in a Custom Desktop policy. If you know that the field value is, you can put that in the Locations tab of the Custom Desktop settings. At the very end of the Desktop policy, if you scroll all the way to the right, there's a Custom, and then there's Locations. But you need to know the field that you want to update. And it has to be like Loc_All in the field name because that's actually how it knows that it applies to Locations.
One issue with that is that it only applies to all the Location documents currently present in the Personal Names & Address Book. So if the person later adds an additional Location document, it won't be present on that Location. Also, it applies to ALL Locations; you can't choose just Office or Home.
NOTE: You can't Null out a value; you can just change a value.
Q13. We've been requested to create a custom policy to set a specific browser for the Notes (Standard). I've read some documentation that points to creating a custom policy to actually edit some specific file within the Notes install. The other policy that changes the location settings only applies to the Basic client. The thing is, we're actually running 853FP6 and in my version of the NAB template, I don't see a Custom tab. So I just want to confirm with you guys, which exact version was the Custom tab and Custom Polices made available?
- I know it's for sure in 8.5x, not sure about 8.0x
- The Custom tab has been there for a while, I'm not sure of the exact version. The Desktop policy is large and has many tabs, and I believe with the Custom tab you actually have to right click on the right arrow to get to the tab, so it's actually kind of scrolled off.
- Policies by groups should work just fine.
- You should not have any issues with assigning Policies to Groups - unless there is a problem with the Group document
- Testing scenarios can play a big role in success/failure of testing the policy assignment (no matter which version). If I test explicit policies with several users on the same box, and switch ids between users, I find the policy may not always get pulled down to the client. In other words, I have found that it's always best to test the exact production scenario that I will implement (single user on a workstation, not switching ids back and forth between everyone). Also, the type of group also matters, as I'm sure you already know - use multi -purpose group.
Q15. Is it better to use Groups or can we assign to individuals? or does it matter?
As a rule of thumb it is easier for an Admin to manage users with Groups
Q16. If I want to use policies to push bookmarks what is the simplest way to do this effectively? I have users that are in different groups that have explicit policies assigned to them but only certain bookmarks show up.
Technote 1264021 - Can a policy be used to add databases to bookmarks or the workspace
Q17. We have several groups that get assigned different settings or some just get different bookmarks. Sometimes I have a member that's in three groups that needs to get specific bookmarks. What is your recommendation on how to set up those policies, explicit policies, that get pushed down to the user so they get all of the bookmarks from whatever groups they're in? Are there any issues with that?
There is an issue there that we have an SPR on. There's something called Additives fields. What you really want there is an Additives field so that if you have a user in two different groups, for example a Sales group and a Southeast Region group, and you had bookmarks in each of those policies that hey would add together. Unfortunately, what happens right now is that whatever policy has the highest precedence wins. So you only get one group.
- Create a new separate Settings document that would contain literally all of those bookmarks for all of the groups put together. There's not a way to cascade them. For the people that are in all three groups, basically compile a new policy that contains all of the bookmarks for all three lists.
- Temporarily assign a policy with just the bookmarks in a Desktop policy to whomever you want to get them, and then unassign it later.
- Split them out between an Organizational policy (that you roll out first) and an Explicit policy (that you roll out later). The bookmarks that everybody in the company needs would be applied via the Organizational policy, and then the additional groups have their bookmarks applied via their Explicit policies.
Q18. With Shared Login enabled, can you sync Internet password to client password in R9?
With Notes Shared Login, NSL-protected IDs are no longer protected by a password, so there is no password to synchronize. Instead, another potential option is you may be able to use the Windows credentials in Active Directory to authenticate to Domino via HTTP.
Q19. We currently have a password policy to force users to change password every 90 days; however, some of our mail servers in the domain do not have password checking turned on. If we turn it on will the user be locked out or will they be prompted to change their password once they are logged in?
Users should not be locked out if your names.nsf among your mail servers is updated (i.e. they replicate frequently). Password checking will be done on the ID vs the Person document (password digest and last change date)
Q20. Are there any plans to allow changes to an ID Vault's password reset authorities to be able to utilize CA versus the certifier ID and password?
There is an existing enhancement request for the ID Vault to use the CA process: SPR# CSCT7XQM7E
Q21a. We currently do not prevent passwords via policy just simply because we are not really sure of the side effects of this if we were to implement this immediately. Especially with respect to syncing Internet passwords and ID passwords. If we were to implement this now, would it force everyone to immediately have to change their passwords at the same time (in order to sync their Internet passwords and ID passwords)? We're just worried about Help Desk tickets coming in from our users and confusion that may arise from implementing that kind of password management via policy. Can you lend any advice on that?
- It would require you to change the password depending on when you set the expiration date. One of the things you could do is send out an email and ask people to change their passwords, so that you could get most of these people, because you're going to be turning on this feature for password checking. That way you'll get most of them, and then you could use a dynamic policy and slowly roll out to a group of users, putting on the password checking, so that you don't have a thousand help desk calls coming in but you could get them in as you decide which organization you want to go through first.
- As an example, use the dynamic policy so you could identify them by group. For example, start with the Admins, see what the behavior is, and then extend it from there on a per server basis (for example).
Q21b. If we were to implement that change via Dynamic policy, once we get the majority of our users up to speed with password syncing, could we then change that from a Dynamic to an Organizational so that it now applies to everyone from this point forward? Or if we were to change that from Dynamic to Organizational would it again force another password change for those existing users?
- No, it wouldn't force a change because from the end user point of view, how the policy was organized doesn't matter, it's just the values. So from the end user point of view the values would be the same.
- Because you would be using the same Policy Settings document, so that wouldn't change. You'd only be changing the Organizational vs Explicit.
- Another thing, too, you could take a look at your Person docs to see if they have anything in that last change date. If they do, say you turned on password checking a while ago, and then you turned it off because maybe you had some problems, for those, when you turn that on, it will get updated with whatever their current password is. So if they've never changed their password since they've been registered (for example 2 years ago) as soon as you turn on password checking, it will post a Change User Password in the Domino Directory request and put in their what their current password is. So then you'll have a last change date and then you can kind of gauge from there. If a lot of people have not changed their password because it shows like 2 years ago, then you could set the expiration for something longer so they won't get locked out when you first force the password change.
Q21c. Are there any Whitepapers or anything available to kind of step us through that?
Technote 1229000 - Implementing password expiration without locking out users
Q22. When is a Policy applied?
Usually not until the policy is pulled down to the client , then user restarts the client. Security Policies that affect password may not go into effect until the next time the user changes their password.
Q23. Can you discuss Active Directory Authentication Integration and policies?
SAML integration unlocks the ID from the Vault, so even though the user is logging in via Active Directory credentials, Domino knows you as the Notes ID and can apply your policies as normal.
Q24. Can Desktop policies push settings to notes.ini, and are null values supported?
You can't push a NULL since it's considered the same as not having the value at all.
Q25. When consolidating Domino domains, what is the best way to have the policies on the target domain from the source domain? Just copy and paste or we have to recreate the policy in the target domain?
- Best practice is to recreate because you have to watch out for the UNIDS.
- That is not a simple question. There are several things involved - cross-certifying the Domains, etc. I would create new Policies and Settings documents in the Target Domain.
- Copy and paste is fine, but you do have to reconnect the settings to the policies since the UNIDs will be different when you paste into the new Domino Directory
Q26. Is it possible to apply policies by machine OS type yet?
Machine specific policies should allow that as long as there is an @function to check the OS.
Technote 1501673 - Machine-specific policy settings
Q27. I'm wondering if there were any policy enhancements in Domino 9 or 9.0.1 that you could go over quickly?
We didn't add any new features, just additional policy settings for the different areas. So no core changes to the policy engine.
Q28. There always seems to be confusion about the enforce in child policies option, can you talk about that a minute?
Sometimes people confuse the enforcement with "Set value and prevent changes," which is a "How to apply" control. The "Set value and prevent changes" prevents users from changing the values. The enforcement is just an override mechanism, which applies only if you have a Child policy.
And what it really does is invert precedence. So normally, the more specific policies have precedence. Explicit takes precedence over Dynamic, and Dynamic takes precedence over Organizational. So enforcement changes that. If you turn on enforcement at the Organizational level, it would then have bigger scope, and it would then win out over the lower level policy.
-> Domino Policy Precedence Explained
Q29. Is there some place in all of these links that describes all the things you could do with a policy?
There's about a 1000 policy settings, it's hard to put it all in one place. We're working on publishing externally an internal database that lists all of the policy settings, and the field names and their values and what tabs they're on. We're trying to get that published this year so all of that information is available in one place.
Our general rule is that when people add new features they should create new settings to control those features, but that's up to the functional areas to request those settings.
NOTE: If you have specific ones that you want to set up, you could open a PMR and we could walk you through that.
Q30. What's your take in renaming policies and policy settings versus creating new policies with the same settings and a different name? We had a Desktop Settings policy that was specific for one specific setting. We're kind of inserting other settings and making it like a general all company policy that will be part of the main organizational policy. So we're thinking of just renaming it and giving it a more generic name, but we just don't know if it's advisable or not.
- It's totally fine to rename a policy. It's the UNID that connects it to the master policy, so you can change the Settings document.
- The thing is, if you want to promote it from a dynamic or explicit to an organizational, you don't have to create a different settings document for each level. You could actually go to, for example, the Organizational and then just add that settings document into it. In other words, a Settings documents can be linked to different policies.
- General best practice is to set only the settings that you want to use. There's the action that says "Don't set for all field". You should always set that first. If it's not done that way and there are defaults, they will be active.
Q31a. What is the relationship between Domino policies and Sametime managed settings?
There are two ways to push down Sametime settings: (1) Desktop policy and (2) Sametime policy. It also depends on the version of Sametime client used - embedded or standalone.
Q31b. Our customer has been trying to set the Sametime authentication server for embedded clients (Sametime 8.5.2 in Notes 9.x) using Sametime managed settings. This has not been a reliable method to apply this setting. Is there a reason to think that a Domino Desktop policy might be more effective?
I would open a PMR with our Sametime team. They need to look at your environment before suggesting a solution that would work for you.
Q32. We use Explicit policies to manage roaming and we use Organizational to manage ID vault and a few other things mixed in there. Dynamic policies kind of intrigue me from the way they're managed. If I was to convert like a roaming user who is receiving their roaming through an explicit policy to a dynamic, is there a best practice there? What I want to avoid is the user getting the unroaming, no roaming, then back on roaming messages.
You actually can use the same Explicit policy as a Dynamic and as an Explicit. You can assign it to the Person document as you currently have it. Or you could assign it to the groups.
What I would recommend is to just add the people in the Policy Assignment tab of the Policy, and then wait some period of time, and that policy will then go out for all the users. And then you can remove them from the Person document for those people and then there will be no change and you won't have the downgrade from roaming and upgrade to roaming.
Q33. Are there any other best practices around explicit versus dynamic. Is Dynamic better than Explicit or does it depend?
Dynamic is actually preferred for the main reason it lowers your cost of ownership because it's easier to modify one policy and add people to it and from it or manage the group that's assigned to it, versus having to go to every user's Person document.
Q34. What topics would you like to see in a future Open Mic?
- Using Notes Browser plugin for 9.x Q&A or open mic (See "Notes Browser Plugin 9.0.1 - "Accessing legacy Applications" @ http://www-01.ibm.com/support/docview.wss?uid=swg27041935)
- I would like to see best practices for managing/implementing single Domino servers when multiple language support is required. Documentation is very limited. from both the server side and client side (browser or client)
|About Ask the Expert Q&A sessions|
Original publication date
Translate this page: