System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

"Account is disabled - see Account Administrator" "message in a trusted system

SOLVED
Go to solution
ilputto
Occasional Visitor

"Account is disabled - see Account Administrator" "message in a trusted system

Hi at all,

 

I have a trusted system hp-ux 11.11. I have created further two super-user accounts;

Last month I disabled remote login using the /etc/securetty (set to "console") and using the "PermitRootLogin no" into sshd_config.  After some days I tried to login with my personal account and then switch to root user ( "su -") but i recieve the following error message: "Account is disabled - see Account Administrator".

 

I recieve the same error message if i try to login using other super-user accounts. Also I unable to use the getprpw command because my personal accoun is not a super-user. So I cannot understand why all super-user account has been disabled.

The only workaround I found is to login using MP console , but after some days I get the same login error.

 

So the questions are:

a) Can someone help me to understand why account become disabled?

b) Is it possible to prevent disabling of root account?

 

 

this is the output of getprpw command for root user.

 

lftm=-1,
acctexp=-1,
expwarn=-1,
admnum=-1,
timeod=-1,
sloginy=console,
culogin=-1,
uloginy=-1,
umaxlntr=-1,
alock=NO, l
ockout=0000000

 

thank you for any suggestion

 

 

Adriano C.

 

 

 

2 REPLIES
Matti_Kurkela
Honored Contributor
Solution

Re: "Account is disabled - see Account Administrator" "message in a trusted system

With most getprpw parameters, "-1" means "use the system default value".

 

Apparently the default for all users (unless overridden by per-user settings) is to have your passwords expire after some number of days. Since you haven't specified that the root password should not expire, it will expire just like regular users' passwords. As you know, the workaround for the expired root account is to log in from the console - it allows root (only) to log in even if the password is in expired state.

 

To prevent the password from expiring on a specific account, you must set four password attribute values to zeroes: mintm, exptm, lftm and expwarn. If any one of those four values is non-zero, the account will be considered expirable.

 

modprpw -m mintm=0,exptm=0,lftm=0,expwarn=0 root

 

MK
ilputto
Occasional Visitor

Re: "Account is disabled - see Account Administrator" "message in a trusted system

You are right about means of value "-1". 

Further analysis show me a problem with a specific windows application that was trying to connect to server with user root :-(. After 99 attempt user root was disabled.

 

thank you for your reply.

 

AdrianoC.