I always thought that "Deny Access" was the be-all, end-all. But apparently not. If someone is listed in both the "Full Access Administrators" list and the "Deny Access" list for the server, they will still be able to access the server. The "Full Access Administrators" trumps the "Deny Access" setting.

From the Administrator Help file, here's information on the Full Access Administrators field:

Full access administrators

Full access administrator is the highest level of administrative access to the server. The full access administrator feature replaces the need to run a Notes client locally on a server. It resolves access control problems -- for example, such as those caused when the only managers of a database ACL have left an organization.

Full access administrators have the following rights:

* All the rights as listed for all administrator access levels (see above).
* Manager access, with all access privileges enabled, to all databases on the server, regardless of the database ACL settings.
Note ACL roles must still be enabled manually for full access administrators. Manager access, with all roles and access privileges enabled, to the Web Administrator database (WEBADMIN.NSF).
* * Access to all documents in all databases, regardless of Reader names fields.
* The ability to create agents that run in unrestricted mode with full administration rights.
* Access to any unencrypted data on the server.

Note Full access administrator does not allow access to encrypted data. The use of the specified user's private key is required to decrypt documents that are encrypted with public keys. Similarly, a secret key is required to decrypt documents encrypted with secret keys.


Obviously, you want to be careful with who is placed in that field. But when someone leaves the company, just putting them into Deny Access won't be sufficient. You have to pull them out of the Full Access Administrators field in addition to putting them in Deny Access.

preload preload preload