HPE Community
Operating System - OpenVMS
1753797 Members
7426 Online
108799 Solutions
New Discussion

/PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility

 
SOLVED
Go to solution
yaron1
Advisor

‎04-09-2007 02:00 AM

‎04-09-2007 02:00 AM

/PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility

Hi,

What’s the fundamental difference between the /PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility? If I understand correctly, /PWDLIFETIME is only to specify the expiration of the password if the account was not in use while /EXPIRATION is for both whether the account was used or not, is that correct? If not please explain.

Thanks for the answers, Yaron.
0 Kudos
Reply
6 REPLIES 6
Volker Halle
Honored Contributor

‎04-09-2007 02:13 AM

‎04-09-2007 02:13 AM

Re: /PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility

Yaron,

the /EXPIRATION time is the absolute date and time, when the password will expire, whether the account is used or not.

The /PWDLIFETIME time is the delta time, the password will be valid, after it has been initially set or after it has been updated by the user. The password will be valid until 'Pwdchange time' plus PWDLIFETIME.

Volker.

Reply
Jan van den Ende
Honored Contributor

‎04-09-2007 02:20 AM

‎04-09-2007 02:20 AM

Solution

Re: /PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility

Yaron,

basically, they are entirely different, and not related to one another.

/EXPIRATION specifies the termination date of the validity of the account ( = username +
From the moment the clock/calender reaches the specified moment, that user can no longer log in (until a change of the qualifier. of course)
The /PWDLIFETIME ( a DELTA time spec )specifies the duration any new password will be valid. Once the moment of change of the password + the delta time has expired, the user is forced to change the password before anyhing else can be done interactively (it has no effect on BATCH mode login nor on remote file access).
Normally if the password is changed using AUTHORIZE, it is set pre-expired for the first login (unless /NOPWDEXPIRED is also specified)

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Reply
Hein van den Heuvel
Honored Contributor

‎04-09-2007 02:21 AM

‎04-09-2007 02:21 AM

Re: /PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility

When the time for /pwdlifetime is exceeded, the password is expired and the user gets a chance to pick a new one and continue working.

When the current date is larger than /expiration the account can no longer be used to log in to, no fresh password can be picked.

Also, the /pwdlif is a 'relative' time, and the clock starts over when the password is reset. The /expiratio is absolute. No ifs or butts. Typically you would set it at then of a contract period, or school year, or whatever date limits might exist in your environment.


hth,
Hein.

Reply
Jan van den Ende
Honored Contributor

‎04-09-2007 02:23 AM

‎04-09-2007 02:23 AM

Re: /PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility

Volker,

>>>
the /EXPIRATION time is the absolute date and time, when the password will expire, whether the account is used or not.
<<<

Sorry, but that is NOT accurate.
/EXPIRATION also blocks BATCH and Network logins, which are NOT affected upon password expiration!

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Reply
Volker Halle
Honored Contributor

‎04-09-2007 05:16 AM

‎04-09-2007 05:16 AM

Re: /PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility

Jan,

thanks for the correction. So I should have written:

>>>
the /EXPIRATION time is the absolute date and time, when the account will expire, whether it has been used or not.
<<<

Volker.
Reply
Jon Pinkley
Honored Contributor

‎04-09-2007 08:37 PM

‎04-09-2007 08:37 PM

Re: /PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility

Just a note about using "/nopwdlifetime". If you do so, the /pwdexpired qualifier has absolutely no effect, other than to display Pwdchange: (pre-expired)

Specifically, an account that shows up with

Pwdlifetime: (none) Pwdchange: (pre-expired)

will be able to login without changing the password. That is consistent with the help description, but I was baffled the first time I did a modify user/pwde and it didn't force them to change their password.

If your intent is to allow users to use a single password for a long period of time, but you want to be able to force them to change it when a new account is created, or on demand with UAF MOD user/PWDE, consider using /PWDLIFETIME=9999-0 instead of /NOPWDLIFETIME.

P.S. for Steven, the soup's good now, but it would be just a bit better if it had some potatoes added. :-)
it depends
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.