Domino Administrators ID file certificate has expired ... No Problem

Came across this at a new client site today, the client knows the Domino Administrators password, but cannot use the Administration client (or any Notes client) with the Administrators ID file, because the Administrators ID file certificates have expired.

It's a pretty simple thing to fix.

EITHER:

• Use your server's Notes client to recertify the Administrator.

OR

• Get hold of an ID file for a user who hasn't expired,
• Add that user to the 'LocalDomainAdmins' group,
• Access the Domino Directory on the server and recertify the Admin ID,
• Remove the user from the 'LocalDomainAdmins' group,
• Done.

The details:

Using a server.

• Go to the physical domino server,
• Browse to the Domino program folder,
• Locate nlnotes.exe,
• Run it.

Yes I KNOW this is not a 'supported configuration' but hey, it Domino - #ThisS***JustWorks.
 

• You now have a notes client, which you can use to access the names.nsf locally (the Domino Directory),
• Go to 'People',
• Choose (highlight) the Administrator,
• Choose (from the menu) ACTIONS -> Recertify Selected People,
• Choose the Administrators organization certifier,
• Enter the certifier password.
• Choose a date a long time from now (you WANT your Admin ID file to expire every two years???),
• Done.

The Long way - elevate another user.

If you know the Administrators password, there is a fair chance you can still access the Domino Web Administrator using that password:

• Log-in to the Webadmin using: http://yourserver.com/webadmin.nsf and the Administrators Username and Password,
• Go to 'People and Groups',
• Edit the 'LocalDomainAdmins' group to include the users name who's ID file has not expired,
• On the Domino Console, 'load updall -r names.nsf', then 'dbcache flush',
• Start the users Notes client,
• Open the Domino Directory (names.nsf) on the server,
• Choose People from the navigator,
• Highlight the Administrator,
• Choose (from the menu) ACTIONS -> Recertify Selected People,
• Choose the Administrators organization certifier,
• Enter the certifier password.
• Choose a date a long time from now (you WANT your Admin ID file to expire every two years???),
• Using any method you want (you've got a recertified Admin now), remove the user from the 'LocalDomainAdmins' group,
• Done.

Hope this helps someone, this has happened a few times in the last couple of months when we pick up a new (old) Notes customer who hasn't needed to use the Admin ID in a while.

Domino Administrators ID file certificates have expired? No Problem.

Read more »

Posted in: Domino Serv,Lotus Dominino

Q, Administrator ID has expired; no one can administer the Domino server

Question

The administrator's ID file has been allowed to expire, and there are no other ID files which can be used to access the server. Attempts to access the server using an expired administrator ID results in the following error:

"Server error - your certificate has expired"

There are no other administrative IDs that can be used to access the server. What are your options?

Answer

Perform the following workaround to certify the expired ID:

1. Open the Domino Administrator client. (The server should be set to "local".)

2. Select the Configuration tab.

3. Select Tools -> Certification -> Certify.

4. Select the certifier ID and enter the password. Set the server to Local.

Note: The following error may appear: "The public key that is being used does not match the one that was certified." This occurs because the client cannot connect to the Notes certifier document in the address book on the server. To continue past this error, select "Yes" when prompted with the following: "Do you wish to continue without updating the Certifier ID?"

5. Select the Notes/Admin ID to certify. Note: You will see an error: "Entry not found in index, Do you want to certify anyway?" Click Yes.

6. Ensure that the server is still set to "local" (at the top of the dialog), set the expiration date, and then click Certify.

7. At this point you should have access to the server, as long as public key checking is not enabled on the server. If public key checking is enabled on the server, you must complete step 8 before you can access the server.

8. Copy the public key from the ID into the Person document (Certificates tab -> Notes certified public key field.)

1. File -> Security -> User Security (this opens the user ID)
2. Select Your Identity -> Your Certificates
3. Click the "Other actions" button and choose Mail, Copy Certificate (Public Key)...
4. Select Copy Certificate (this will place the public key on the system clipboard)
5. Close the open windows to exit User Security.
6. Select the People view in the server's Domino Directory, open the user's Person document in Edit mode, and click the Certificates tab
7. Select the entire contents of the Notes certified public key field and paste the key from the clipboard; save and close
8. Rebuild the view by pressing the key combination Shift + F9.

Read more »

Posted in: Domino Serv,Lotus Dominino

Q, How to manually recertify an expired ID

Question

You have a Lotus Notes user ID that has expired and you would like to manually recertify it.

The ID can open Notes, because the password is valid, but the user cannot do anything else, as the end date has expired. If the user selects File -> Tools -> User ID -> Certificate -> Request Certificate, the following message displays:

Server Error: Your certificate has expired.

 

Answer

Administrator: Recertify user's ID

A user has a Notes ID that has an expired certificate. These steps are performed by the server administrator to correct the user's expired ID.

1. After obtaining the user ID, you (as the administrator) launch the Lotus® Domino® Administration client.
   
   
2. Open the Configuration tab, expand Certification (located on the right hand pane) and select Certify.
   
   
3. Select the Certifier ID file.
   
   
4. From the Choose Certifier ID dialog box, select the O or OU certifier that was originally used to certify the user ID.
   
   
5. Enter the password for the certifier ID.
   
   
6. From the Choose ID to Certify dialog box, select the user ID to be recertified.
   
   
7. Enter the password for user ID to be recertified.
   
   
8. [Optional] In the Certify ID dialog box, you may set or change the following:
   Registration server, expiration date of the certifier and password length.
   
   
9. Click Certify.
   The Status window displays:
   Updating address book entry for username/org
   Successfully updated address book entry for username/org
   Username/org successfully certified
   
   
10. Choose "No" when you receive the following dialog box:
    Would you like to certify another?
    
    
11. Provide the newly-recertified ID file to the user.

User: Merge the new certificate

Once the administrator recertifies the safe.ID and returns the ID to the user, the user must perform the following steps:

1. Select File -> Security -> User Security -> Your Identity -> Your Certificates -> Get certificates button -> Import (Merge) Notes Certificate.
   
   
2. Enter password.
   
   
3. The dialog box then prompts the user to choose the safe.ID that has been recertified and it is then merged into the original user ID.

Administrator: Recertify an expired Server ID

If an administrator needs to recertify an expired Server ID, the following steps should be followed:

1. Certify the server id file by following the "Administrator: Certifying an expired server ID file" steps included below.
   
   
2. Verify that the expiration date has been changed in the server.id file.
   
   
3. From the administration client select Configuration -> Tools -> ID Properties, then select the Server ID file.
   
   
4. Place the new server.id back on the server (c:\lotus\domino\data), and restart the server.

Administrator: Certifying an expired server ID file

How to certify an expired server id file.

1. After obtaining the server ID (c:\lotus\domino\data is the default location ), you (as the administrator) launch the Domino Administrator client.
   
   
2. Open the Configuration tab, expand Certification (located on the right hand pane) and select Certify.
   
   
3. Select the Certifier ID file.
   
   
4. From the Choose Certifier ID dialog box, select the O or OU certifier that was originally used to certify the user ID.
   
   
5. Enter the password for the certifier ID.
   
   
6. From the Choose ID to Certify dialog box, select the server ID to be recertified.
   
   
7. Enter the password for server ID to be recertified, if necessary (not all server ID files require a password).
   
   
8. [Optional] In the Certify ID dialog box, you may set or change the following:
   Registration server, expiration date of the certifier and password length.
   The server.id file should have an expiration date 99 years in the future (default ).
   
   
9. Click Certify.
   The Status window displays:
   Updating address book entry for username/org
   Successfully updated address book entry for username/org
   Username/org successfully certified
   
   
10. Choose "No" when you receive the following dialog box:
    Would you like to certify another?
    
    
11. Copy the newly-recertified ID file to the server (c:\lotus\domino\data, by default).

 

Read more »

Posted in: Domino Serv,Lotus Dominino

Office 2016 Client Software License Management Tool

Office 2016 Client Software License Management Tool

Office 2016 For 32 bit Windows: cscript “C:\Program Files\Microsoft Office\Office16\OSPP.VBS” /dstatus For 64 bit Windows: cscript “C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS” /dstatus  Usage

cscript ospp.vbs /Option:Value ComputerName User Password

ComputerName: Name of remote computer. If a computer name is not passed local computer is used.

User: Account with required privilege on remote computer.

Password: Password for the account. If a User account and password are not passed current credentials are used.

Value: Required for outlined options.

Global /Options	Description
/act	Activate installed Office product keys.
/inpkey:value	Install a product key (replaces existing key) with user-provided product key. Value parameter applies.
/unpkey:value	Uninstall an installed product key with user-provided partial product key (as displayed by the /dstatus option). Value parameter applies.
/inslic:value	Install a license with user-provided path to the .xrm-ms license. Value parameter applies.
/dstatus	Display license information for installed product keys.
/dstatusall	Display license information for installed licenses.
/dhistoryacterr	Display MAK/Retail activation failure history.
/dinstid	Display installation ID for offline activation.
/actcid:value	Activate product with user-provided confirmation ID. Value parameter applies.
/rearm	Reset the licensing status for all installed Office product keys.
/rearm:value	Reset the licensing status for an Office license with user provided SKUID value (as displayed by the /dstatus opton). Value parameter applies.
/ddescr:value	Display the description for a user-provided error code. Value parameter applies.
KMS client /Options	Description
/dhistorykms	Display KMS client activation history.
/dcmid	Display KMS client machine ID (CMID).
/sethst:value	Set a KMS host name with user-provided host name. Value parameter applies.
/setprt:value	Set a KMS port with user-provided port number. Value parameter applies.
/remhst	Remove KMS host name (sets port to default).
/cachst:value	Permit or deny KMS host caching. Value parameter applies (TRUE or FALSE).
/actype:value	Set volume activation type. Value parameter applies. (Windows 8 and above support only) Values: 1 (for AD) or 2 (for KMS) or 3 (for Token) or 0 (for all).
/skms-domain:value	Set the specific DNS domain in which all KMS SRV records can be found. This setting has no effect if the specific single KMS host is set via /sethst option. Value parameter applies. (Windows 8 and above support only) Value:FQDN
/ckms-domain	Clear the specific DNS domain in which all KMS SRV records can be found. The specific KMS host will be used if set via /sethst option. Otherwise default KMS auto-discovery will be used. (Windows 8 and above support only)
Token /Options	Description
/dtokils	Display installed token-based activation issuance licenses.
/rtokil:value	Uninstall an installed token-based activation issuance license with user-provided license id (as displayed by the /dtokils option). Value parameter applies.
/stokflag	Set token-based activation only flag. (Windows 7 support only)
/ctokflag	Clear token-based activation only flag. (Windows 7 support only)
/dtokcerts	Display token-based activation certificates.
/tokact:value1:value2	Token activate with a user-provided thumbprint (as displayed by the /dtokcerts option) and a user-provided PIN (optional). Value parameter applies.

Prior to running ospp.vbs ensure that:

Windows firewall allows WMI traffic on remote computer.

You have or pass credentials with required permissions on remote computer.

Cmd.exe is elevated (right click > Run as administrator).

Sample Usage

cscript ospp.vbs /act  'Activate Office on local computer.

cscript ospp.vbs /act mypc1  'Activate Office on remote computer mypc1 with current credentials.

cscript ospp.vbs /inpkey:MFKXT-F6DT2-THMRV-KDWH2-TCDTC  'Install an Office product key on local computer.

cscript ospp.vbs /inslic:\\myserver\licenses\tail.xrm-ms 'Install license on local computer.

cscript ospp.vbs /inslic:"\\myserver\work licenses\office2016 tail.xrm-ms" mypc1 'Install license on remote computer mypc1. Note the path is enclosed in "" since the value contains spaces.

cscript ospp.vbs /ddescr:0xC004F009 'Display the description for error code.

cscript ospp.vbs /actype:1 'Set volume activation type to Active Directory only.

/Token only

cscript ospp.vbs /rtokil:4476b20e 'Uninstall an issuance license with license ID.

cscript ospp.vbs /tokact:96DE6755ABE0BC7D398E96C3AA3C7BFE8B565248 'Token activate with thumbprint.

cscript ospp.vbs /tokact:56AE6755AAB0BC7D398E96C3AA3C7BFE8B565256:54344 'Token activate with thumbprint & PIN.

Read more »

Posted in: Office 2016