HPE Community
Operating System - HP-UX
1837975 Members
2595 Online
110124 Solutions
New Discussion

How to specifiy when to lock a user account after x days of inactivity

 
SOLVED
Go to solution
Travis Rebok
Advisor

‎11-12-2004 06:11 AM

‎11-12-2004 06:11 AM

How to specifiy when to lock a user account after x days of inactivity

We are running HP-UX 11.0 as a trusted server.

Our corporate security requirements state that we must disable a user's account if the account has been inactive for 45 days. We use SAM as account admin tool. Is there a parameter that controlls this? If so, where would I set it?

I cannot find this in any HP-UX 11.0 documentation or any previous post, but I know that this capability must exist.

We have used SAM to set the password aging parameters (passwd_expiration=90, passwd_lifetime=135).
0 Kudos
Reply
5 REPLIES 5
Sridhar Bhaskarla
Honored Contributor

‎11-12-2004 06:18 AM

‎11-12-2004 06:18 AM

Solution

Re: How to specifiy when to lock a user account after x days of inactivity

Hi Travis,

Got to "General User Account Policies" under "Auditing and Security -> System Security Policies" of SAM.

Enable 'Lock Inactive Accounts' and it will spawn a field that says Maximum Inactive Time: and specify 45 there.

Through command line it would be

modprdef -m llog=45

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Travis Rebok
Advisor

‎11-12-2004 06:34 AM

‎11-12-2004 06:34 AM

Re: How to specifiy when to lock a user account after x days of inactivity

Sri -

Thanks!. Maybe you know another question then. We are going to change the password aging parameter passwd_lifetime from 300 to 135. We want to reset the users "last password change" to be the current day/time so that their account will not be expired if their last password change was > 135 days ago. I found the following command that can do this for a single id. Is there a way to do it for all IDs through SAM?

# /usr/lbin/modprpw -l -v
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎11-12-2004 06:44 AM

‎11-12-2004 06:44 AM

Re: How to specifiy when to lock a user account after x days of inactivity

Hi Travis,

I am not a big SAM user.

The command is '/usr/lbin/modprpw -V'. It will set the 'last passwd change' field to 'NOW' for all the users.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Travis Rebok
Advisor

‎11-12-2004 06:49 AM

‎11-12-2004 06:49 AM

Re: How to specifiy when to lock a user account after x days of inactivity

Great. Thanks for the help.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎11-12-2004 08:28 AM

‎11-12-2004 08:28 AM

Re: How to specifiy when to lock a user account after x days of inactivity

11.0 does not have the man pages for modprpw, the most useful tool there is for users and passwords. However, 11.11 has it, and you can find it on docs.hp.com at: http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90691/B2355-90691_top.html&con=/hpux/onlinedocs/B2355-90691/00/02/222-con.html&toc=/hpux/onlinedocs/B2355-90691/00/02/222-toc.html&searchterms=modprpw&queryid=20041112-141537

(sorry for the ugly URL)
Another important file is /etc/default/security which is probably non-existant in your system. If you've kept up on patches, you'll have a man page for security. If not, use docs.hp.com at http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90696/B2355-90696_top.html&con=/hpux/onlinedocs/B2355-90696/00/01/111-con.html&toc=/hpux/onlinedocs/B2355-90696/00/01/111-toc.html&searchterms=security%284%29&queryid=20041112-141944

You can use the attached script to summarize all your security settings.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.