Domino Policies - FAQ Page 1 of 4

Translate Page ▼ Anonymous Log on Help

Lotus Notes and Domino wiki All Wikis All Content Search for... Advanced Search

Home > Customer self-assist > Domino Policies - FAQ

(1 rating)

Domino Policies - FAQ

Abstract

Domino Policies

In the Notes/Domino environment, policies are a powerful feature allowing an administrator to control many user settings at once. They can be used to set purely
administrative controls like enabling inbox maintenance. Or they can be used to enforce company practices by enabling e-mail message disclaimers. The great power and
flexibility of policies; however, can be confusing and complicated particularly when multiple policies are used. Therefore this article will be used to call out and answer some
of the frequently asked questions regarding policies so that you can take advantage of all that they can do for you. The questions will be grouped into categories to make it
easier to find a particular question and answer. This list is just a start so check back later!

General

What is the priority with respect to each other of the different types of policies? (Organizational, Explicit, and Dynamic)

An upcoming Wiki entry will discuss this in great detail. But the general answer is that excluding Inherit/Enforce settings, the more specific policy takes precedence. So an
explicit policy takes precedence over a dynamic group policy and a dynamic group policy takes precedence over an organizational policy.

Why can't I send down NOTES.INI settings or managed settings for plug-ins down to the client?

In 8.5 you can! In a Desktop Settings document, look for the Custom Settings tab (far to the right on the list of tabs, use the arrows next to the tabs to get there) and you'll
see sub-tabs for Notes.ini and Managed Settings.

What to be aware of when working with Policies in a mixed environment?

First, when using pre- 8.0.1 Notes clients, be aware that desktop, setup, client archiving, and some security settings are actually calculated on the client, so when responding
to an issue related to Policies, one will need to be aware of the client type to which the policies will be getting applied. Second, Mail Policies are applied and calculated by
Adminp on the server; as a result, the policy version of mail will have dependency on the Domino version and potentially the MAILx.NTF in use. Third, when there's a higher
version of the Domino Directory in use on the server, new settings and items will be present on older clients, but will not be used because the client code is not "aware" of
these settings. Finally, and in a similar vein as the previous point, the "Set initial value" setting is a new feature to 8.0; that feature will not work against a lower the 8.0
version of the Notes client. Also see: Do you have to have an 8.5 client to use Dynamic Policies?

How do policies get pulled and applied on the client?

When the client authenticates with the users home server, it sends over a hashed value that indicates what policy information it thinks it has stored locally. The server
calculates a similar hashed value for what it thinks the client should have. If those values do not match, then the server tells the client that it need to refresh it's policies. At
this point, the client launches the dynamic configuration process, Dyncfg.exe, passing it flags on the command line that tell it to pull policies. Dyncfg uses the NAMEGetPolicy
API, which asks the server to calculate the effective policy for the user, and then stores the effective policies locally in the clients NAMES.NSF database. You can see your
locally cached policy documents by opening the hidden $Policies view (via Ctrl-Shift View\Go To). After pulling and applying the policies to the client, Dyncfg stores off the
new hashed value that it got from the server, to be sent back to the server during the next authentication, which starts this whole process over again.

So what info is encoded in this hashed value? Previous to R8.5 and dynamic policies, it was simply the last modified time of the $Policies view in the server's NAB. With the
introduction of dynamic policies, the hash was expanded to include any group or user names that caused a policy to be assigned to the user, as well as the last modified time
of the $Policies view. So, if any policy info changes on the server, or the user is assigned to any new groups that cause a policy to be assigned to them, then the hash will
change which will trigger the client to pull new policies. Note that on the Domino server, we rely on the Update task to update the views in the NAB once per minute. If this
doesn't happen, then the $Policies view won't get updated, the code won't know anything has changed, and no policy changes will get pulled to the client. This is a very
common cause of policy problems on test machines.

How to I force the client to pull policies?

Part of the hashed value is the last modified time of the $Policies view in the Domino Directory on the server. So modifying any policy or policy settings document (e.g.,
simple edit and save) and updating the $Policies view should cause the client to re-pull policies when it next authenticates with the server. To make that happen, you can
disconnect the client by hitting Ctrl-F5 and then reconnect to the server in any way (e.g., open any database on that server). There have been some bugs where this process
breaks down and policies do not get pulled. We've fixed them as we've found them, the most recent fixes going into R8.5 (as of 7/1/2008).

What tools are available for managing policies?

In the Domino Admin client, there are several tools on the Configuration tab.

Policy Viewers
In the left-hand pane, there are a couple of ways to view your policies:

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/domino-policies-faq 2011.08.15.
Domino Policies - FAQ Page 2 of 4

Home Community Articles Product Documentation Learning Center

The "By Settings" view allows you to easily see which policies a given Settings document is referenced from, so you can tell which users in your domain will be affected by a
change to that Settings document.
The "By Hierarchy" view shows your policies based on their hierarchical names. The best feature of this view is the ability to select a particular user, a particular policy
settings type (e.g., Desktop settings), and be shown the effective policy for that user. You select a user using these controls in the header of that tab:

Policy Synopsis
The Policy Synopsis tool is available from the toolbar on the right-hand side of the Configuration tab.

For the 'Report Type' one can get a summary report or a detailed report. In a summary report, the following information is provided:
Effective Policy for - this field provides a link back to the person record
Derived from the following policies: - shows which Policies entered into the calculation and provides links back to those Policy documents
One can chose to examine on or more Policies at a given time. In a detailed report, in addition to providng the "Effective Policy for " and "Derived from the following
policies" fields, the document will also contain
a report with very detailed information describing every item on the effective policy note, its value, which policy it came from, etc. It's very handy when you have multiple
policies assigned to a user and you want to know
why they are getting a particular value assigned to them. One can choose to append a record to the existing results database, or overwrite the database all together.
How often are Mail and Traveler settings applied?
Mail and Traveler settings are applied to the mail files on the server by the Administration Process (Adminp) every 12 hours by default. An administrator can also make
Adminp process those settings by using the following TELL commands on the server console: "tell adminp process mailpolicy" or "tell adminp process traveler".
Additionally, the server INI variable, ADMINP_POLL_INTERVAL, can be used to specify the time (in minutes) that Adminp should process those settings. However, since
this will cause Adminp to go through every mail file on the server, this setting should not be set too low so as not to impact server performance.

8.5 Features

Do new groups have to be created to use the new Dynamic Policy feature?

No, your existing groups can be used. Just place them under the Policy Assignment tab in the policy document.

Are Home Server groups to be used only in Dynamic Policies?

No, a Home Server group is just a group that is auto-populated by those users that have the same home mail server. So while a Home Server group is populated differently
than a regular group, it can be used wherever a regular group is used and that includes Dynamic Policies.

If a user is in two different groups and each of those groups are in a different dynamic policy, which one takes precedence?

The precedence question only comes into play if both policies specify the same setting, otherwise the various settings from each policy are just merged. If there is a conflict
for a particular setting, the precedence setting specified in the Domino Directory in the People -> Policies -> Dynamic Policies view is used. There the group policies are
listed in decreasing precedence. So the setting from policy with the highest precedence would be chosen.

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/domino-policies-faq 2011.08.15.
Domino Policies - FAQ Page 3 of 4

Do you have to have an 8.5 client to use Dynamic Policies?

No, the server has to be 8.5 but the client can be 8.01 or greater. Note: that in a mixed environment you might have some servers which are 8.5 and some that are pre-8.5.
For policy settings that are consumed by the server, clearly a pre-8.5 server won't be able to handle dynamic policies. So in that case you'd have to use explicit or
organizational policies for users on that server. You could have an explicit and dynamic policy assigned to a user that accesses both 8.5 and pre-8.5 servers. Then when the
pre-8.5 servers are upgraded you would then remove the explicit policy.
You changed group membership, now when will dynamic policies reflect that?
When you add/remove a member of a group, the Indexer thread will update the internal directory view which is then used to update the group cache. The Indexer thread will
run every minute by default or you can specify the server INI variable UPDATE_NAB_SUPPRESSION_TIME with a value in minutes. Once the group cache is updated,
dynamic policies will now correctly reflect a users group membership.

Article information
Category: Customer self-assist, Domino admin, Domino policies, Lotus Domino, Lotus Notes, Notes client,

Tags: administration, concepts, policies

This Version: Version 8 2010. június 22. 7:58:57 by Jan Van Puyvelde

Attachments (0)
Versions (8)
Comments (6)

Submitted by Jan Van Puyvelde on 2010.06.22. 8:07:16

Domino Policies - FAQ
About the comment from Corey: I too read over the word "only" several times. I modified the sentence to emphasize that word.

Submitted by Jose Zaldivar on 2010.05.30. 13:46:50

Domino Policies - FAQ
Can some explain more what location document will be updated? If a user has 3 location docs, say "Off-line, Internet, Office" how do I apply a policy to each
location?

Submitted by Mark A. Skurla on 2009.08.19. 12:31:48

Response to Corey
Hello Corey,
There is no contradiction. The "No" in the first sentence refers to the "only" part. I did not want people to think that Home Server groups were limited in use to
Dynamic Policies. Thus my statement in the second sentence. If the question had omitted the "only" part, then yes, there would have been a contradiction.
Regards,
Mark

Submitted by Slawomir Lipski on 2009.07.31. 14:18:21

adding client notes.ini settings in 8.0.1
Regarding paragraph: "Why can't I send down NOTES.INI settings or managed settings for plug-ins down to the client?"
It is possible since 8.0 (maybe even 7.0, I don't remember). But it is a little tricky. Never did myself:) I just remember thought that on admin-update courses.
Take a look at "Using policies to assign NOTES.INI or Location document settings to Notes client users" subject in R8 Administrator Help.

Submitted by Pam Gilday on 2009.07.15. 12:34:05

related post on pushing notes.ini and eclipse preference settings
This related post points to a tech note describing how to push notes.ini and eclipse settings.
{ Link }

Submitted by corey w davis on 2009.07.14. 13:36:06

Contradiction on Home Server Group Usage
There is a contradictory statement in the "Can Home Server groups only be used in Dynamic Policies? " section. The first sentence says "No..." in answer to
the "Can Home Server groups only be used in Dynamic Policies? " question, but the second sentence says "it can be used wherever a regular group is used
and that includes Dynamic Policies."

Go Elsewhere Stay Connected Subscribe to RSS Help About

• Lotus Tech Info on Twitter • Recently added • About IBM

• Wiki Help
• All Lotus and WebSphere Portal wikis • Lotus Tech Info on • Recently edited • Privacy
• Forgot user
• IBM developerWorks Facebook • Recently Added • Contact IBM
name/password
• IBM Software support • Lotus product forums Comments • IBM Terms of
• Wiki design feedback
• Lotus Tech Info blog use

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/domino-policies-faq 2011.08.15.
Domino Policies - FAQ Page 4 of 4

• Lotus Technical Information and Education • IBM Collaboration • Wiki terms of

• About the wiki
Team Blog Solutions use

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/domino-policies-faq 2011.08.15.