Groove workspace and account data reside on Groove user devices and are protected with each user’s password or smart card login. This means that, by default, if a user leaves the company or forgets a password (or smart card login), no one can access that user’s work-spaces without knowing the user’s password. The management server and the Data Recovery Tool that supports it enable you to reset a Groove user’s password or smart card login and restore data.
For managed users running Groove 3.0e or earlier, data recovery requires Groove devices to be registered with a management domain. For managed users running Groove 3.0f or later, data recovery requires only identities to be managed in a domain. See “Setting Up Data Recovery on Managed Devices (for Groove 3.0f or later)” in the Managing Identity Policies section of this guide for information about setting up data recovery for managed identities with Groove 3.0f or later.
Note: The data recovery procedure is designed to reset user login credentials or gain access to a user’s existing data; it does not restore data that has been corrupted or destroyed.
For information about other options for resetting Groove passwords or smart card logins, see “Resetting Groove Login Credentials for Managed Devices” above.
For information about backing up and restoring user accounts, see “Backing Up and Restoring User Account Data” in the Managing Users section of this guide.
The following sections provide background information and instructions for restoring user passwords, smart card logins, and/or data:
• Data Recovery Fundamentals
• Recovering User Data (using the Data Recovery Tool) Data Recovery Fundamentals
In management environments that include Groove 3.0e users, the data recovery process begins with setting a management server device policy to allow data recovery, then using the management server’s Data Recovery tool to restore data on a client device. The tool gives access to a data recovery private key, generated during management domain
cre-ation by the management server administrator.
Groove protects each user account with the user’s Groove account password or smart card login. Account data includes identity, contact, and workspace data, as well as private and secret keys generated locally by Groove (for example, when accounts, identities, or work-spaces are created on a user device). The password/smart card login protection scheme applies to both managed and unmanaged accounts. This means that by default administra-tors cannot access any account information, whether managed or unmanaged.
However, under certain conditions, for example if a user on a managed device loses or for-gets a password or smart card login, or leaves the company, an administrator may need to access a user’s Groove data. The management server provides a means of recovering data without knowing the user’s original password or smart card login. Management server device policies provide options for two levels of data recovery:
• The first level, limited data recovery (without password reset), enables
administrative access to the user's workspace data only, rather than complete access to the user's account. This level prevents an administrator from accessing the user's private cryptographic information, such as the user's private and secret keys. It thus also prevents the administrator from being able to impersonate the user (sending Groove instant messages and workspace updates on behalf of the user). Because administrators cannot gain full entry to the user's account after this type of data recovery, they must copy the workspaces from a user's account into another location (into another account or a directory on disk) for future use or reference.
This level limits administrative access, providing protection against misuse through impersonation while allowing limited recovery of the user's data.
• The second level, password reset, enables administrators to reset a user’s password or smart card login, enabling complete access to a user's account and workspace data, including access to the user's private cryptographic information. Because administrators with this level of access can impersonate users, this level of access should be used judiciously. Administrators considering this access level must weigh the risk of misuse through impersonation against the benefit of allowing user accounts to be reactivated.
Both data recovery levels require the use of a data recovery key pair: a public key con-tained in a certificate (.cer) file and a private key concon-tained in a password/smart card-pro-tected private key store (.xml) file. These keys are created during domain creation by the management server administrator. The data recovery public key is encapsulated in a data recovery policy and disseminated to all the managed devices governed by the policy.
On managed devices governed by a data recovery policy, Groove encrypts user account data and passwords/smart card logins with the data recovery public key. If limited data recovery is the chosen policy level, only the non-private cryptographic information in the account is encrypted with the data recovery public key. If password/smart card login reset is the chosen policy level, both the non-private and the private cryptographic information of the account are encrypted. The data recovery administrator uses the corresponding data recovery private key (generated during domain creation) to decrypt and gain access - lim-ited or full - to the user's account, without knowing the user's original Groove password.
This feature is implemented using public key cryptographic protocols. Thus, an adminis-trator can gain access to an account only if the account was first encrypted with a data
recovery public key, and only the correct corresponding data recovery private key (to which only the data recovery administrator has access) allows access to the account.
Recovering User Data (using the Data Recovery Tool)
To service users of Groove 3.0e or earlier, before you begin the data recovery process, be sure to set your management domain device policies to allow data recovery, as described above in, “Controlling Login Credential Reset and Data Recovery”. Then you can use the Groove data recovery tool on a client device to recover a user’s public workspace data or to reset the user’s password which provides complete access to all the user’s Groove data.
If you want only to allow users to reset their passwords, consider using the centralized procedure described above in “Resetting Groove Login Credentials for Managed Devices”.
Note: In a Role Based Access Control (RBAC) environment, you must have the role of Server or Support Administrator to use the data recovery tool described in the pro-cedure below.
Note: If you use a management server version 3.0e or earlier, and/or you support users of Groove 3.0e or earlier, Groove data recovery and login credential reset requires identities to be members of a management domain and devices to be registered with that domain, as described above in “Registering User Devices with the Man-agement Server”.
To recover user data and/or reset a managed user’s login credentials on managed devices, follow these steps:
Note: Make sure that Groove is not running on the client device where you are trying to restore data.
1. From the client device where you are trying to restore data, open a browser and go to the management server administrative Web site.
2. Select Domain Properties in the tool bar. The domain properties page appears.
3. In the Password or Smart Card Reset Setup section of the page, use the ‘Download data recovery tool for Groove version’ option to specify the Groove version installed on managed user devices, and click the Download button. A standard Save As pop-up window appears.
4. In the Save As window, browse to the network location where you want to store the data recovery tool.
This generates the Data Recovery tool, DataRecoveryAdminTool.exe (and its associated system files), which enables you to restore the password and/or data on a client machine.
5. Run the Data Recovery Tool, DataRecoveryAdminTool.exe, from its current loca-tion to create the data recovery certificate and keys. The Recovery page appears.
Note: Do not try to run the .exe file from a remote location; you must download and run it from the client PC.
6. Choose a data recovery option as follows:
• Reset Password - To reset the user’s password and restore full access to all workspaces and account data, providing that your policy allows resetting a user’s password.
• Recover Workspace Data - To copy the workspace information into another location. If you need to reactivate the workspaces in their new location, you must ask the workspace owners to invite you into them or invite them yourself.
If your policy allows only recovery of workspace data (not resetting the password), only the second option is available to you; an error will appear if you set the first option.
7. Edit the following fields, then click Next:
a. In the Private Key File field, enter the .xml file path for the private key file (that was generated during initial set up of this feature).
b. In the Administrator password - Enter the administrator private key password that was originally defined.
8. If you chose the Reset Password option, the Reset Password page appears. Proceed as follows:
a. In the Account Name field, select the name of the managed account that you want to restore.
b. In the New Password field, enter a new pass phrase, then enter it again in the Confirm new password field.
c. Click Finish. A completion pop-up window appears.
d. Click OK to exit.
e. Launch Groove and log into the user’s account after entering the new password when prompted.
9. If you chose the Recover Workspace Data option, the Recovery page appears. Pro-ceed as follows:
a. Choose one of the following output options, as described in the following table:
Recovery Options Descriptions Export spaces into
new account
Choose this option to copy the selected workspaces to a new Groove account, then do the following:
1. Click the Next button to display a page where you enter the account name and password of the new account.
2 Enter the information, then click Next again to select a workspace.
3 Click the Finish button.
Export spaces into existing account
Choose this option to copy selected workspaces into another existing account on the device, then do the following:
1. Click the Next button to display a page where you select an existing name and its correct password.
2 Enter the information, then click Next again to select workspaces.
3 Click the Finish button.
b. When the completion pop-up appears, click OK.
10. If you saved the workspace(s) in an account, launch Groove and open the specified account.
11. If you exported the workspace(s) to disk, restore the space(s) on the Groove client as follows:
a. From the client device, launch Groove.
b. Go to My Spaces.
c. From the File menu, choose Restore Workspace or Open Workspace Archive (depending on which Groove version you are using). The Restore pop-up window appears.
d. Browse the location where you saved the workspace(s).
e. Enter the password defined in the Recovery options of the Data Recovery tool.
f. Click OK. The workspace appears in the list of workspaces.