There are a couple of methods to deal with this depending on how secure you'd like user accounts to be:
1) Keep a backup of the user ID with a known password in a secure location. However, any encryption keys that the user adds will be lost if this backup file is used when the user forgets his/her password.
2) Don't keep backups and warn the user about what it means to lose a password (all your encrypted files won't be accessible any more, etc.). This also guarantees that the user is the only one who could have sent a mail message (useful in court cases) or done something to a database.
3) Separate the ID file storage and the password knowledge between two different people. This is a safer position than (1). However, if the two people work together, security in Notes can still be compromised.
If you are running 4.1, there is a new feature that will help you use method (1). You can set up an escrow account and when you register a new user, the new ID is sent (mailed) automatically to the escrow agent. This way, you keep backup copies of every ID you make.
There is no way to recover encryption keys from a user ID with a forgotten password!