Account - Disable/Renables

Hi Rex,

Maybe this doc helps a bit.

Document description: Configuring a user back to using the passwd aging system defaults
Document id: KBRC00014490

Europe
http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000072806664

US
http://www4.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000072806664

Best regards,
Robert-Jan

Considering you may be experiencing following the links on the post above this one, like I did, here is a dirty dump output of the elusive getprpw and modprpw man pages:

I think you are looking for a commands like these:

STATUS=$(/usr/lbin/getprpw -l -r -m lockout $ID)
RC=$?
case "$RC" in
0 ) case "$STATUS" in
0000000 ) print "Account Active." ;;
1?????? ) print "LOCKED: Past password lifetime." ;;
?1????? ) print "LOCKED: Past inactive time." ;;
??1???? ) print "LOCKED: Past account lifetime." ;;
???1??? ) print "LOCKED: too many failed logins." ;;
????1?? ) print "LOCKED: passwd required." ;;
?????1? ) print "LOCKED: Locked by Admin." ;;
??????1 ) print "LOCKED: Password is a *." ;;
* ) print "Unknown status code returned.";exit 10;;
esac

and to re-enable it if disabled:

/usr/lbin/modprpw -l -m alock=NO $ID

where ID is assigned to username in question.

And here are the man pages.

Hope this helps.

> * getprpw - Display per user protected password settings in
> databases
> *
> * SYNOPSIS
> *
> * getprpw [-r] [-m parm[,parm]] username
> *
> *
> * DESCRIPTION
> *
> * getprpw display's the users protected password database
> * settings. This command will be available only in trusted
> * systems environment.
> *
> * OPTIONS
> *
> * getprpw recognizes the following options
> *
> * -r displays the arguments supplied to -m in raw format
> *
> * -m Displays the value for the argument passed. An
> * "invalid-opt" is printed if a list of options passed
> * to -m contains an invalid option. The rest of the options
> * will be processed. If -m is specified without any
> * parameters, all parameters are displayed in the order
> * given below.
> *
> * Boolean fields are returned as YES, NO, or DFT (default).
> * Units of time are returned in number of days (>=0).
> * A value of -1 indicates that the field had not been assigned
> * a value in the user database.
> *
> * the following parameters for the user can be displayed
> * using the -m option.
> *
> * uid - get the users uid
> *
> * bootpw - get the boot authorization flag
> *
> * audid - get audit id
> *
> * audflg - get audit flag
> *
> * mintm - get the minimum time between password changes
> *
> * maxpwln - get the maximum password length for this user
> *
> * exptm - get password expiration time
> *
> * lftm - get password lifetime
> *
> * spwchg - last sucessful password change time
> *
> * upwchg - last unsucessful password change time
> *
> * acctexp - get account expiration time
> *
> * llog - last login time interval
> *
> * expwarn - password expiration warning time
> *
> * usrpick - display whether user picks password field,
> * YES/NO/DFT
> *
> * syspnpw - display whether system generates pronounceable
> * passwords, YES/NO/DFT
> *
> * rstrpw - display wheteher password is restricted, i.e,
> checked
> * for triviality. YES/NO/DFT
> *
> * nullpw - display whether NULL passwords are allowed,
> * YES/NO/DFT. NOT RECOMMENDED !!!.
> *
> * admnum - get admin number
> *
> * syschpw - display whether system generates passwords having
> * charaters only, YES/NO/DFT
> *
> * sysltpw - display whether system generates passwords having
> * letters only, YES/NO/DFT
> *
> * timeod - get the time of day allowed for login by
> this user
> *
> * slogint - time of last successful login by this user
> *
> * ulogint - time of last unsuccessful login by this user
> *
> * sloginy - get tty of last successful login by this user
> *
> * culgoin - consecutive number of unsuccessful logins so
> * far by this user
> *
> * uloginy - tty of last unsuccessful login by this user
> *
> * umaxlntr - get maximum unsuccessful login tries
> *
> * alock - get the administrator lock, YES if on, NO if off,
> * DFT if not set.
> *
> * lockout - returns the reason for a lockout in a
> "bit" valued
> * string. The position, left to right represents:
> *
> * 1 past password lifetime
> * 2 past last login time
> * 3 past absolute account lifetime
> * 4 exceeding unsuccessful login attempts
> * 5 password required and a null password
> * 6 admin lock
> * 7 password is a *
> *
> * the value 0 = condition not present, 1
> is present.
> *
> * RETURN VALUES
> *
> * 0 success
> * 1 user not privileged
> * 2 incorrect useage
> * 3 can not fine the password file for this user
> * 4 system is not trusted
>
> *****************************
>
> * NAME
> *
> * modprpw - Update per user protected password settings
> in database
> *
> *
> * SYNOPSIS
> *
> *modprpw [-A][-E|V][-e|v][-k][-w][-x][-m option=value[,option=value]]
> username
> *
> *
> * DESCRIPTION
> *
> * modprpw updates the user's protected password database
> settings.
> * This command will be available only in trusted environment.
> *
> *
> * OPTIONS
> *
> * modprpw sets users parameters as defined by options
> specified.
>
> * The options should be validated for proper values before
> * updating the database.
> *
> * If the field are not specified in the option then its value
> * remains unchanged in the database else it is set as
> specified
> * in the option.
> *
> * modprpw should recognize the following options
> *
> * -A To Add a new user entry. This entry has to
> be created
> with
> * the given username and the -m uid=value. This also
> returns
> * an admin number that the new user must use to login
> the
> * first time.
> *
> * Can not be used with the -k, -w or -x
> options. Error
> * returned if user already exists.
> *
> * -E This option is speciefied WITHOUT a user name. It
> * goes through the protected password database and
> * and removes the successful login time from
> all users.
>
> * The result is all users will need to enter a new
> password
> * at next login.
> *
> * This option is not valid with any other option.
> *
> * -e This option is specified with a user name to expire
> * the specified user's password.
> *
> * This option can be specified with the -m option.
> *
> * -k To unlock/enable a users's account that has become
> disabled.
> *
> * -m is the only other valid option.
> *
> * -m Modify the option to the specified value.
> * An "invalid-opt" is printed if a list of options
> passed
> * to -m contains an invalid option. Processing
> terminates.
> *
> * If the value=-1, the numeric value in the
> database is
>
> * removed allowing the for system default
> values to be
> used.
> * Boolean values are specified as YES, NO and DFT for
> system
> * default values.
> *
> * Valid with -A and -k options only.
> *
> * Following parameters can be set using this option.
> *
> * uid=value - Set the uid of the
> user to value.
> No
> * sanity checking is done on this
> value.
> *
> * bootpw - set boot authorization
> privilege.
>
> * YES/NO ... NO removes
> it from the
>
> * file. The default file value is
> NO.
> *
> * audid=value - Set auditid.
> *
> * audflg=value - Set auditflag.
> *
> * mintm=value - Set the minimum time between
> password
> * changes to value (days/weeks).
> *
> * maxpwln=value - Set the maximum password length
> for
> * this user.
> *
> * exptm=value - Set password expiration time to
> value
> * (days).
> *
> * lftm=value - Set Password life time to value
> * (days).
> *
> * acctexp - Set the account
> expiration time.
> * Time is a calendar format time.
> *
> * llog=value - Set the last login
> time interval.
>
> * (days)
> *
> * expwarn=value - Set password expiration warning
> time
> * to value (days).
> *
> * usrpick=value - Set whether User Picks Password
> field,
> * YES/NO/DFT.
> *
> * syspnpw=value - Set whether system generates
> * pronounceable passwords,
> YES/NO/DFT.
> *
> * rstrpw=value - Set whether Password is
> restricted,
> * YES/NO/DFT. If YES,
> password will
> be
> * checked for triviality.
> *
> * nullpw=value - Set whether Null passwords are
> allowed,
> * YES/NO/DFT. NOT
> RECOMMENDED !!:.
> *
> * admnum=value - Admin number returned
> when adding
> a
> * new user or reseting
> an existing
> users
> * password
> *
> * syschpw=value - Set whether system generates
> passwords
> * having characters only field,
> YES/NO?DFT
> .
> *
> * sysltpw=value - Display whether system
> generates
> * passwords having letters only
> field,
> * YES/NO/DFT.
> *
> * timeod=value - Set the time of Day allowed for
> * login for this user.
> *
> * The format is:
> *
> * key0Starttime-Endtime,key1Starttime-Endtime,...
> * keynStarttime-Endtime
> *
> * Where key has the following values:
> *
> * Mo - Monday Tu - Tuesday We - Wednesday Th -
> Thursday
> * Fr - Friday Sa - Saturday Su - Sunday Any -
> everyday
> * Wk - Monday -> Friday
> *
> * and Starttime and Endtime is the time in military
> format:
> *
> * HHMM - 00 <= HH <= 23, 00 <= MM <= 59
> *
> *
> * umaxlntr=value - Set Maximum Unsuccessful Login
> tries
> * allowed to value for user.
> *
> * alock=value - Set the administrator lock,
> YES/NO/DFT.
> *
> *
> * -V This option is specified WITHOUT a user name. It
> * goes through the protected password database and
> * sets the successful login time to the current for
> * all users. The result is that all users password
> * aging starts at the current time.
> *
> * This option is not valid with any other option.
> *
> * -w Change the user's password. The single, required
> option
> * is the encrypted password.
> *
> * -w password
> *
> * Not valid with any other options.
> *
> * -x Reset the user's password and return a
> admin number
> that
> * the user must later supply to the login process to
> login
> * and pick a new password.
> *
> * Not valid with any other options.
> *
> *
> *
> * RETURN VALUES
> *
> * 0 success
> * 1 User not privileged
> * 2 Incorrect usage
> * 3 Can not find the entry or file
> * 4 Can not change the entry
> * 5 Not a Trusted System
> *
> *
> * EXAMPLES
> *
> * modprpw -m mintm=12,syspnpw=1,syschpw=1 someusr
> *
> * Set the minimum time between password changes' to 12 (days)
> * and should set the System generates pronounceable password
> * flag, the System generates password having characters
> * only flag.
> *
> * The following example is to restrict the times the user
> * someusr can get on the system on Mondays, and Fridays to
> 5PM-9PM
> * and Sundays from 5AM-9AM. Other days are not restricted.
> *
> * modprpw -m
> timod=Mo1700-2100,Fr1700-2100,Su0500-0900 someusr
> *
> *
> *
> * WARNINGS
> *
> * Very little, if any, checking is done to see if
> the value is
> * valid. It is the users responsibility to range
> check values.
>
> *
> *
> * DEPENDENCIES
> *
> *
> *
> * FILES
> *
> * /etc/passwd System Password file
> *
> * /tcb/files/auth/ * / * Protected
> Password Database
>
> *
> * /tcb/files/auth/system/default System Defaults Database
> *
> *

Hi Rex,

Sure - depending on just what is deactivating them - i.e. idle, max attempts, PW lifetime, etc, you can use the -m option of modprpw
For example if you want an infinite lifetime on a pw the command would be

/usr/lbin/modprpw -m lftm=0

If you want to set a long expiration time then use the # of days X 86400 to get this command - let's say 365 days

/usr/lbin/modprpw -m exptm 31536000

NOTE: There is no man page in the OS for modprpw but you can get one on docs.hp.com

HTH,
Jeff

Wow Guys, Thanks all

I've been in meetings since the post. I will review them and see what I can do an assign points.

Time for lunch!!!

Jeff,

I am not quite sure what is disabling the accounts, I does appear the 180 day inactivity may be coming to play somewhat. Yet, others are people that use the system daily. This is baffling to me (and the power users effected that be are wandering if I can fix it)..

I am finally getting some downtime this week so I can look at it.
If something comes up I will let you all know. Thanks!

Mel,

I can kind of understand the script you have, however, I don't fully understand the variables.. In particular the $RC,

I've tried to cut and paste the script on my system, I need to look closer at it. It would be helpful to have these scripts for reseting the onesy/twosy accounts I have on a weekly/daily basis, thanks..

Robert,

I am looking at the scripts on the link you gave me, they do appear to be close to what I need.. I have a school district where in the password file all the $HOME values are set to "/home/$district"

I am create my read "infile" from the /etc/passwd by greping the "
"\/home/\$district"

I think it will work for me.

Jeff,

Thanks for the info, I am going to set the value for the lifetime is "0".

Thanks again all!

Thanks