- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Auto disable User account if they have not log...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2011 07:26 AM
11-08-2011 07:26 AM
Auto disable User account if they have not logged in for a month.
I have a requirement to disable User account iautomatically if they have not logged in for a month , can you help me on this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2011 10:19 AM
11-08-2011 10:19 AM
Re: Auto disable User account if they have not logged in for a month.
VMS does not have this capability built in, but it is easy to write a command file to do what you need.
First, get the freeware GETUAI from ftp://ftp.hp.com/pub/openvms/freeware/getuai or any other place that you like. This program extracts fields from SYSUAF and puts them into DCL symbols. In particular, you could extract the last login date and compare it to today's date. If the last login is too old, then execute an AUTHORIZE command to DISUSER the account.
You will need a list of USERNAMEs that this applies to. Either get this list from management, or apply it to all users except special system accounts (like SYSTEM). In the latter case, you can simply read SYSUAF to get a list of USERNAMEs and then use GETUAI to get information about the user.
Check the manuals or use the VMS HELP command to learn more. Here are some things you will want to look up:
OPEN
READ
CLOSE
IF
LEXICALS F$CVTIME
AUTHORIZE MODIFY /FLAGS
Once you have your command file working, you can use the VMS BATCH system to schedule it to run every midnight or so. Look up the SUBMIT command.
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2011 02:00 PM
11-08-2011 02:00 PM
Re: Auto disable User account if they have not logged in for a month.
There's an updated getuai version here. But dig around on the Freeware in general here, too, as this is very far from the first time somebody's gone looking for this request. The Google site keyword (eg: /site:decuslib.com other search keywords here/) can target your search.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-08-2011 09:44 PM
11-08-2011 09:44 PM
Re: Auto disable User account if they have not logged in for a month.
Thanks for the reply
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-09-2011 07:11 AM
11-09-2011 07:11 AM
Re: Auto disable User account if they have not logged in for a month.
We've used the SCANUAF program inside a command procedure to implement a similar security requirement. I would think this would be more appropriate (or easier) than GETUAI...
http://vms.process.com/scripts/fileserv/fileserv.com?SCANUAF
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-09-2011 09:11 AM
11-09-2011 09:11 AM
Re: Auto disable User account if they have not logged in for a month.
@David R. Lennon wrote:We've used the SCANUAF program inside a command procedure to implement a similar security requirement. I would think this would be more appropriate (or easier) than GETUAI...
Some years ago I switched from SCANUAF to GETUAI, but I don't remember why ....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-09-2011 11:35 AM
11-09-2011 11:35 AM
Re: Auto disable User account if they have not logged in for a month.
For yet another way to do it, I prefer Joe Meadows' UAF utility, which I've updated and released at http://code.google.com/p/jmuaf/. To get a list of users who have not logged in during the last month (and are not already disusered), do:
$ uaf/select=(interactive=(17-nov-1858,9-oct-2011), -
noninteractive=(17-nov-1858,9-oct-2011), flags=nodisuser) - /match=and/display=(username,interactive,noninteractive)
Inserting the date one month ago today in place of the hard-coded 9-oct-2011 and parsing the output to generate the AUTHORIZE statements to disuser the accounts are left as an exercise for the reader, but they are pretty trivial DCL.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-09-2011 11:44 AM
11-09-2011 11:44 AM
Re: Auto disable User account if they have not logged in for a month.
below a bit (or two) of DCL which generates AUTHORIZE MODIFY commands to DISUSER records before a certain date, which are not disusered already.
You may want to consider to also look at 'expiration' date, and non-interactive logins. (BACKUP !?)
Usage
$ @UAF_LASTLOGIN.COM /OUT=disuser.tmp 90 ! default 31 days, absolute date also accepted $ TYPE/PAGE disuser.tmp ! Review $ MCR AUTHORIZE @disuser.tmp ! Execute.
Enjoy,
Hein
$! $! uaf_last_login.com Hein van den Heuvel,August 2007. $ $! List records from SYSUAF for which the Last Interactive Login $! before a cutoff_date and is not yet disusered. $! $! Provide number of days, or date, as argument. Default 31 days $ $ IF p1.EQS."" then p1 = 31 $ IF F$TYPE(p1).EQS."INTEGER" $ THEN cutoff_text = f$cvtime("0:0:0 -''p1'-") $ ELSE cutoff_text = f$cvtime(p1) $ ENDIF $ s = $status $ IF .NOT.s then $EXIT 's $ $!libr/extr=$uafdef/out=uafdef.tmp sys$library:lib.mlb $!sea uafdef.tmp flag... $!EQU UAF$Q_LASTLOGIN_I 396 $!EQU UAF$L_FLAGS 468 $!EQU UAF$V_DISACNT 4 $ $close /nolog uaf $open/error=ooops/read uaf 'f$parse("SYSUAF","SYS$SYSTEM:.DAT",,,"SYNTAX_ONLY") $ $ found = 0 $ records = 0 $loop: $ records = records + 1 $ read/nolock/end=done uaf rec $ username=f$extr(4,12,rec) $ IF f$cvsi(468*8+4,1,rec) THEN GOTO loop ! disuser already ? $ $ lastlogin_binary = F$EXTR(396,8,rec) $ lastlogin_date = F$FAO("!%D",f$cvui(32,32,f$fao("!AD",8,lastlogin_binary))) $ lastlogin_text = F$CVTIME(lastlogin_date) $ $ IF lastlogin_text .GTS. cutoff_text THEN GOTO loop $ $! At this point we have a record which was not dis-usered, $! and the user has not recently logged in. Policy says to disable the account. $ $ text = "Last Login " + lastlogin_date $ IF f$cvsi(0,32,lastlogin_binary) .EQ. 0 THEN text = "Never logged in." $ $ WRITE sys$output "MODIFY ''username' /FLAG=DISUSER !" + text $ username = "" $ found = found + 1 $ goto loop $ $done: $WRITE sys$output "! found ", found, " targets. Total records: ", records $close uaf $ooops: $exit '$status
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-09-2011 04:48 PM
11-09-2011 04:48 PM
Re: Auto disable User account if they have not logged in for a month.
The first step is to set up identifiers to categorize the users and grant them the appropriate accounts.
These allow you to select the records for the users that are candidates to be disabled. Otherwise you could take out an account used for special purposes.
I also add identifiers to indicate the special accounts.
You also need to look at the batch and network and other access times. I have seen many users incorrectly disabled because they only had network access.
As long you are doing the reports, you should also be checking for extra privileged and uncategorized accounts.