>I want to add the /DISUSER Flag on the
>exit/logout of the ABCUSER. This will
>prevent users login if he know the last
>password..
If I'm understanding your objective, I'd suggest adding the DISUSER it to the *LOGIN* rather than the LOGOUT. DISUSER doesn't affect an existing process, it just prevents new processes from starting. You definitely have control over LOGIN, but may not get to the LOGOUT (process disconnection, bug in application, power fail, system crash, etc...). This also prevents your user from connecting a second session before finishing with the first.
Assuming your user has a high level of privileges, just add these lines to LOGIN.COM
$ IF F$TRNLNM("SYSUAF").EQS."" THEN DEFINE/USER SYSUAF SYS$SYSTEM:SYSUAF
$ MCR AUTHORIZE MODIFY 'F$GETJPI("","USERNAME")' /FLAG=DISUSER/NOACCESS
This will use the system defined SYSUAF, or set a logical name to use the default one if there's no system defined one.
(note to Jan, for AUTHORIZE use, the SYSUAF logical name may be in any mode, or in any table visible to the process)
If the user doesn't have SYSPRV (and doesn't need it for the other processing), you can set it as a "trapdoor" privilege:
(permanent setting for account:
$ MCR AUTHORIZE user/DEFPRIVILEGE=SYSUAF/PRIVILEGE=NOSYSUAF
Once you've done the AUTHORIZE command in LOGIN.COM, issue:
$ SET PROCESS/PRIVILEGE=NOSYSPRV
Once SYSPRV has gone from the default mask, it can't be reinstated because it's not in the authorized mask.
All that said, as others have already mentioned, but it's worth stressing... if the privileged user has ANY access to DCL, or, in some cases even a prompt for data, it really doesn't matter how many tricks and traps you set, if they know what they're doing they WILL be able to get past them.
It comes down to a very simple test - If you don't trust the person, don't give them privilege.
A crucible of informative mistakes
