- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Account expiry
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2006 07:26 PM
тАО09-28-2006 07:26 PM
I need to set an account expiry (I do not talk about password here).
I enabled it in SAM, and set it to 60 days :
Go to SAM ->Auditing and security -> system Security Policies -> General User Account Policies, and Enable "Lock Inactive accounts" with 60 days.
But then even trying to launch the /usr/lbin/getprpw
# ./getprpw genadmin
uid=100, bootpw=NO, audid=20, audflg=1, mintm=0, maxpwln=-1, exptm=0, lftm=0, spwchg=Tue Sep 26 20:10:10 2006, upwchg=Tue Jun 20 02:20:22 2006, acctexp=-1, llog=-1, expwarn=0, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Thu Sep 28 21:15:31 2006, ulogint=Tue Sep 26 22:02:58 2006, sloginy=pts/ta, culogin=-1, uloginy=pts/tb, umaxlntr=-1, alock=NO, lockout=0000000
See the "acctexp=-1" ?
So I can not verified it has been set to тАЬ60 daysтАЭ.
Am I using the wrong command to set/view the account expiry ?
P.S. : I'm in a trusted hosts syetem, HP-UX 11.i
Many Thanks !!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2006 09:26 PM
тАО09-28-2006 09:26 PM
Re: Account expiry
The -1 indicates that the system default value is being used rather than a value specific to that user. Default values are stored in /tcb/files/auth/system/default.
regards,
Darren.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2006 09:31 PM
тАО09-28-2006 09:31 PM
Re: Account expiry
Looking at the file you specify, I see the following :
default:\
:d_name=default:\
:d_boot_authenticate@:\
:u_pwd=*:\
:u_owner=root:u_auditflag#-1:\
:u_minchg#0:u_maxlen#8:u_exp#0:u_life#0:\
:u_llogin#5184000:u_pw_expire_warning#0:u_pswduser=root:u_pickpw:\
:u_genpwd@:u_restrict@:u_nullpw@:u_genchars@:\
:u_genletters@:u_suclog#0:u_unsuclog#0:u_maxtries#99:\
:u_lock:\
:t_logdelay#2:t_maxtries#10:t_login_timeout#0:\
:chkent:
I have put a default of 60 days in SAM foe general system policy, and 3 days only for the user "genadmin".
I do not see 60 nor 3 in the file you mention.
I'm interested to see the expiry days for a user account.
Many Thanks do far ... but the answer is not complete, yet ;-)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2006 11:04 PM
тАО09-28-2006 11:04 PM
Re: Account expiry
The u_llogin value in the default file is set to 5184000. There's a bit more info on this parameter here -> http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1030113
If you manually set a user value, then it will override the system default. Take a look in the user file (which will be /tcb/files/auth/g/genadmin) for your 3 days.
regards,
Darren.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-29-2006 12:16 AM
тАО09-29-2006 12:16 AM
Re: Account expiry
u_llogin - This value, in secconds, is the maximum time allowed between logins. If the time between the last login and the current time exceeds this value, the account is locked and the user can no longer logon.
I was expeting the correct parameter to be acctecp (For account expiry), but it seems you are correct with the u_llogin.
Many Thanks !!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-01-2006 08:04 PM
тАО10-01-2006 08:04 PM
Re: Account expiry
the account expiry is working fine (i.e. accound disabled after the account expiry time is elapsed).
what If I want to "delete the account" if no request for reactivation has been done, foe example ?
So I put an account expiry of 60 days, then an accound deletion after 15 more days (total 75 days).
I found in SAM the "Account Life time" in days, but will that begin counting when the account is expired, or when the account in created ?
If the account life time begins counting when the account is expired (locked), then it is ok).
If the account life time begins counting from the creation date of the user, then I have a problem.
I wanr to follow the security rule as follow :
- Account locked after 60 days of inactivity
- then account deleted 15 days after the 60 inactivity days.
Someone can answer ?
Many Thanks !!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-01-2006 10:56 PM
тАО10-01-2006 10:56 PM
Re: Account expiry
(for more info please see the u_acct_expire entry in "man 4 prpwd"; it states explicitly that the account expiry time is not updated upon password change; I would infer that it is not updated upon de-activation either).
I simply keep a mental note to review disabled accounts after one month. We have a variety of tasks to undertake on ex-employees at that time (archiving their email; redistributing working files to their successor, etc.) Going back in to delete their accounts is a small part of the load.
Sorry I can't suggest an automatic way of achieving this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-01-2006 11:19 PM
тАО10-01-2006 11:19 PM
Re: Account expiry
Anybody else who has an idea is welcome ;-)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-02-2006 01:05 AM
тАО10-02-2006 01:05 AM
Re: Account expiry
Too many questions, no single answer, therefore removing an inactive account is left to the sysadmin to handle according to company policies.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-02-2006 01:14 AM
тАО10-02-2006 01:14 AM
Re: Account expiry
I just got a kind a security rules document to be followed for my system, and one of the rules is explaining this (See below) - reason why I wanted to deleted inactive user accounts :
------------------------
Redundant userids remaining enabled on the system. If an attacker could guess the password then they could access the system without being noticed.
Also, if deleted userids have not had their associated files or file permissions removed then they would be passed to a new user issued with that userid.