Re: Account keeps getting disabled

Laura_54 · ‎04-12-2006

I have a user on one of my HP Servers and his account keeps getting disabled every couple of days.

Any ideas why this could be happening?

RAC_1 · ‎04-12-2006

/usr/lbin/getprpw "user_name"

Check last unsuccssful login.
Unsuccessful login attempts.

There is no substitute to HARDWORK

Peter Godron · ‎04-12-2006

Laura,
once you have checked as suggested by RAC, you may find cronjob on another machine is trying to access/ftp the account.

Bill Hassell · ‎04-12-2006

You can see failed login attempts by date using the lastb command:

lastb -R some_user

With the date and time of the attempts, you can compare this to cron jobs by time as well as subsequent succssful logins (use last -R).

Bill Hassell, sysadmin

Laura_54 · ‎04-12-2006

would the password ageing policy be wrong?

Time Between Password Changes = 0 days
Password Expiration Time = 94 days
Password Expiration Warning Time = 7 days
Password Life Time = 94 days

This is what getprpw returned for the user

uid=311, bootpw=NO, audid=346, audflg=0, mintm=-1, maxpwln=-1, exptm=-1, lftm=-1
, spwchg=Wed Apr 12 14:01:55 2006, upwchg=Tue May 18 12:08:47 2004, acctexp=-1,
llog=-1, expwarn=-1, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1
, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Thu Apr 13 10:12:42 2006, ulogint
=Thu Apr 13 10:12:05 2006, sloginy=pts/tn, culogin=-1, uloginy=pts/tn, umaxlntr=
-1, alock=NO, lockout=0000000

His account is currently not locked out.

Prashant Zanwar_4 · ‎04-13-2006

Change time between password change to 1...
It should matter, but can be worth modifying...
and is this only user having problem, i tried all fields with one user in my setup, things appear ok to me.. just try and compare with one not having problem

Thanks and regards
Prashant

"Intellect distinguishes between the possible and the impossible; reason distinguishes between the sensible and the senseless. Even the possible can be senseless."

A. Clay Stephenson · ‎04-13-2006

The next time the account becomes locked before doing anything else, execute /usr/lbin/getprpw user and note the value of the lockout field. The position of each non-zero character in this string indicates the lockout reason. This is your first step to understand what is happening. Man getprpw for details on the lockout string.

It could be something as devious as one of his co-workers intentionally failing to login using his login (but not knowing his password). Knowing the lockout reason is the first step to knowing what is occurring

If it ain't broke, I can fix that.

Laura_54 · ‎04-13-2006

Turns out it was someone else in the organisation who uses his account most days of the week and tends to enter his password wrong all the time

Thanks for all the help,
Laura.

A. Clay Stephenson · ‎04-13-2006

In that case, a yellow sticky note with his password attached to his monitor should solve the problem completely. It is considered a big security no-no for users to share accounts and it becomes impossible to distinguish user mickey from user mickey when security events occur. You would get dinged in a security audit for allowing this practice.

If it ain't broke, I can fix that.

Jeff Schussele · ‎04-13-2006

Hi laura,

And in the event a sticky note fails to do the job, the threat of a Louisville slugger upside their obviously dense skull can do the trick ;~()

Rgds,
Jeff

PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!

Bill Hassell · ‎04-13-2006

Note that in many organizations, sharing an account (ie, using someone else's login) is grounds for immediate termination. It's good that someone was actually using the account and reporting the disabled status, but if this is an important system, you should be running daily scans for disabled accounts as well as duplicate accounts (run the command: logins -d). Other meausres might be to completely remove accounts and files for non-usage as well as abuse. I would also include limiting access to users that actually take security seriously -- and if they can't remember or type a password correctly, they shouldn't be allowed access to sensitive data.

I do know that politics get involved when the fumble-finger user is a manager or vice president, but that's where you get security policies approved at the CEO or president level with no exceptions. Othjerwise, the machine is only as secure as the worst user.

Bill Hassell, sysadmin

Prashant Zanwar_4 · ‎04-13-2006

Disable current account forever and issue a new account for this user.. that can stop other user from doing this..

Thanks and regards
Prashant

"Intellect distinguishes between the possible and the impossible; reason distinguishes between the sensible and the senseless. Even the possible can be senseless."

Peter Godron · ‎04-18-2006

Laura,
could you please identify most helpful answer and close.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Account keeps getting disabled

Account keeps getting disabled