Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

/PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility

SOLVED
Go to solution
yaron1
Advisor

/PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility

Hi,

What’s the fundamental difference between the /PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility? If I understand correctly, /PWDLIFETIME is only to specify the expiration of the password if the account was not in use while /EXPIRATION is for both whether the account was used or not, is that correct? If not please explain.

Thanks for the answers, Yaron.
6 REPLIES
Volker Halle
Honored Contributor

Re: /PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility

Yaron,

the /EXPIRATION time is the absolute date and time, when the password will expire, whether the account is used or not.

The /PWDLIFETIME time is the delta time, the password will be valid, after it has been initially set or after it has been updated by the user. The password will be valid until 'Pwdchange time' plus PWDLIFETIME.

Volker.

Jan van den Ende
Honored Contributor
Solution

Re: /PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility

Yaron,

basically, they are entirely different, and not related to one another.

/EXPIRATION specifies the termination date of the validity of the account ( = username +
From the moment the clock/calender reaches the specified moment, that user can no longer log in (until a change of the qualifier. of course)
The /PWDLIFETIME ( a DELTA time spec )specifies the duration any new password will be valid. Once the moment of change of the password + the delta time has expired, the user is forced to change the password before anyhing else can be done interactively (it has no effect on BATCH mode login nor on remote file access).
Normally if the password is changed using AUTHORIZE, it is set pre-expired for the first login (unless /NOPWDEXPIRED is also specified)

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Hein van den Heuvel
Honored Contributor

Re: /PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility

When the time for /pwdlifetime is exceeded, the password is expired and the user gets a chance to pick a new one and continue working.

When the current date is larger than /expiration the account can no longer be used to log in to, no fresh password can be picked.

Also, the /pwdlif is a 'relative' time, and the clock starts over when the password is reset. The /expiratio is absolute. No ifs or butts. Typically you would set it at then of a contract period, or school year, or whatever date limits might exist in your environment.


hth,
Hein.

Jan van den Ende
Honored Contributor

Re: /PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility

Volker,

>>>
the /EXPIRATION time is the absolute date and time, when the password will expire, whether the account is used or not.
<<<

Sorry, but that is NOT accurate.
/EXPIRATION also blocks BATCH and Network logins, which are NOT affected upon password expiration!

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Volker Halle
Honored Contributor

Re: /PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility

Jan,

thanks for the correction. So I should have written:

>>>
the /EXPIRATION time is the absolute date and time, when the account will expire, whether it has been used or not.
<<<

Volker.
Jon Pinkley
Honored Contributor

Re: /PWDLIFETIME and /EXPIRATION qualifiers in the AUTHORIZE utility

Just a note about using "/nopwdlifetime". If you do so, the /pwdexpired qualifier has absolutely no effect, other than to display Pwdchange: (pre-expired)

Specifically, an account that shows up with

Pwdlifetime: (none) Pwdchange: (pre-expired)

will be able to login without changing the password. That is consistent with the help description, but I was baffled the first time I did a modify user/pwde and it didn't force them to change their password.

If your intent is to allow users to use a single password for a long period of time, but you want to be able to force them to change it when a new account is created, or on demand with UAF MOD user/PWDE, consider using /PWDLIFETIME=9999-0 instead of /NOPWDLIFETIME.

P.S. for Steven, the soup's good now, but it would be just a bit better if it had some potatoes added. :-)
it depends