Operating System - HP-UX
1839298 Members
1779 Online
110138 Solutions
New Discussion

Trusted. Display expired accounts.

 
SOLVED
Go to solution
Richard Pereira_1
Regular Advisor

Trusted. Display expired accounts.

Hi,

I have dozens of 11.i servers which are trusted and need a way to track down user ids that are inactive. Is there way to get this through modprpw or similar commands? Preferably something i could script to automate.

thanks in advance,
Richard
5 REPLIES 5
Sanjay_6
Honored Contributor

Re: Trusted. Display expired accounts.

Hi Richard,

Maybe the script in this link from itrc might help,

http://www1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000074740865

The itrc doc id is USECKBAN00000934.

hope this helps.

Regds
Rick Garland
Honored Contributor

Re: Trusted. Display expired accounts.

Another option - required scripting on your part.

In the /tcb/auth/files directory are the accounts of the system. Within each account file you can decipher the info regarding the passwd expiration, disabled, etc. Write a script to enter into each file and check for the pattern that says the account is disabled.
Sundar_7
Honored Contributor
Solution

Re: Trusted. Display expired accounts.

You can query lockout parameter of the user

# logins | awk '{print $1}' | xargs -n1 | while read USER
do
LOCKOUT=$(getprpw -m lockout $USER)
if [ "$LOCKOUT" != "lockout=0000000" ]
then
echo "User account is not active or locked for reasons"
fi
done

a bit ON (i.e 1) in any of the lockout word position indicates the reason for the lockout.



Learn What to do ,How to do and more importantly When to do ?
Bill Hassell
Honored Contributor

Re: Trusted. Display expired accounts.

/usr/lbin/getprpw will give you all these details without reading through the /tcb database. Another technique is to use the under-utilized command: logins (logins -a) Or you can use passwd -s for a specific name, passwd -s -a for everyone.


Bill Hassell, sysadmin
Richard Pereira_1
Regular Advisor

Re: Trusted. Display expired accounts.

I ended up using the following command;
getprpw -m slogint (username)
slogint time of last successful login
and scripted it.
#################################
for i in `cut -d : -f 1 /etc/passwd`
do
a=$(/usr/lbin/getprpw -m slogint $i | grep -v $yr)
echo $i " " $a >>./user_idle.tmp
done
cat ./user_idle.tmp | grep slogint
#################################

Where $yr equals this year. I have run this on several machine and have found several accounts that havent logged in since last year (which is a start for deleting accounts here).
THanks