HPE Community
Operating System - OpenVMS
1832946 Members
2958 Online
110048 Solutions
New Discussion

Forcing password expiration with Advanced Server 7.3A

 
Jeremy Begg
Trusted Contributor

‎01-20-2005 12:16 PM

‎01-20-2005 12:16 PM

Forcing password expiration with Advanced Server 7.3A

We're running Advanced Server 7.3A on OpenVMS Alpha 7.3-1. A key member of staff is about to leave so we want all our users (about 50) to change their passwords.

Some of those users rely on SYSUAF for authentication, so they're no problem -- we'll just mark all their passwords "pre-expired" so that each user has to change it at next login.

However, the majority have the "ExtAuth" flag set in their UAF entries so that they authenticate against Advanced Server. (Most users have PCs and most use Advanced Server for file sharing and also access the system via DCL.)

Is there a way we can force all users to enter a new password when next they log in?

I have tried using the command MOD USER/FLAG=PWDEXP in the Advanced Server ADMIN program, but it didn't seem to work.
0 Kudos
9 REPLIES 9
John Gillings
Honored Contributor

‎01-20-2005 01:03 PM

‎01-20-2005 01:03 PM

Re: Forcing password expiration with Advanced Server 7.3A

Jeremy,

A few possibilities:

Can't you do this on the domain? (or is this one of those places that Windows expects OpenVMS to do and OpenVMS expects Windows to do?)

What if you set PWDEXP both in ADMIN and UAF?

If they're an interactive login, catch them in SYLOGIN.COM and write your own code to force a change. Temporary identifiers and privileged images to revoke them once the change has been confirmed might help here...

Send threatening mail... "change your password or your account will be disabled" then enforce it by checking the password dates in the UAF.

You could just change them and mail a notification to each user with their impossibly ugly new password - would that be a catch 22? (or restore them one by one on demand)...
A crucible of informative mistakes
0 Kudos
Mic V.
Esteemed Contributor

‎01-20-2005 01:17 PM

‎01-20-2005 01:17 PM

Re: Forcing password expiration with Advanced Server 7.3A

I think I'm just saying the same thing John said, but with different words: when I administered an Advanced Server implementation on another non-windows platform ;-), I was able to call up User Manager on my Windows box, change domain to the one running on UNIX, and deal with all of these types of issues. Failing that, perhaps the VMS implementation contains the "net" command and you may be able to DCL/script something to expire them (something with "NET ACCOUNTS" or "NET USER" -- never did this particular task). Sorry to be somewhat vague; I don't have a setup to test with.

Regards,
Mic
What kind of a name is 'Wolverine'?
0 Kudos
Jeremy Begg
Trusted Contributor

‎01-20-2005 01:27 PM

‎01-20-2005 01:27 PM

Re: Forcing password expiration with Advanced Server 7.3A

Hello John & Mic, thank you for your suggestions.

I'm not sure what you mean by "Can't you do this on the domain?". Advanced Server is the PDC and ther is only one domain.

Setting a new password for each user is probably what we'll end up doing; it just would have been nice to have the system prompt them for a new password. Sending the new password in a mail message won't work because they won't be able to read the mail until they've got the new password -- but I think you knew that :-)

The suggestion to have SYLOGIN.COM do it for us is possibly workable; I'll check it out further.
0 Kudos
Jan van den Ende
Honored Contributor

‎01-20-2005 05:46 PM

‎01-20-2005 05:46 PM

Re: Forcing password expiration with Advanced Server 7.3A

Jeremy,

on a slightly different issue (to do with some database app, but similar requirement), we did it this way:

In SYSLOGIN, if interactive mode, we check for the presence of a certain file in SYS$LOGIN (Say, like: Forced_pwd_change_done.sem)
You may even put some warning in for DCL-allowed users to NOT delete the file.

If present, continue normal processing.

If not, then enter password changing routine.
An important part of that routine is, of course, to create that file in SYS$LOGIN.
After your site's PWDLIFETIME has passed, everyone that has logged-in has gone through it, others are pre-expired anyway, so this stuff can be obsoleted, and all .SEM files deleted.

hth

Proost.

Have one on me.

Jan
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Antoniov.
Honored Contributor

‎01-20-2005 06:22 PM

‎01-20-2005 06:22 PM

Re: Forcing password expiration with Advanced Server 7.3A

Jeremy,
I'm sure you type right commands. User preexired password are set bye
$ ADMIN MOD USER username /FLAG=PWDEXP
However I don't know how you manage account of your domain. First of all, do you manage security model (AS only) or (AS & VMS)? I don't know if PWDEXP works within AS & VMS security model without changing password. For my user I always set a temporary password and /FLAG=PWDEXP, so they have to logon with temporary password and then modify it.
Expired password may be changed by client only if it use NDIS layer; I don't know if unix box are able to make this.

Antonio Vigliotti
Antonio Maria Vigliotti
0 Kudos
Mic V.
Esteemed Contributor

‎01-21-2005 12:36 PM

‎01-21-2005 12:36 PM

Re: Forcing password expiration with Advanced Server 7.3A

Hi, Jeremy,

What I think he meant was the kind of thing I said: it depends on your Windows release, but the application is called "User Manager." On real NT, I recall it sitting in a folder somewhere. In 2K, it's a control panel application. (Sorry, I'm not very Microsoft literate.) A download link is here:

http://www.microsoft.com/downloads/details.aspx?familyid=c0011ab8-3178-4701-a791-eafba0f42de2&displaylang=en

Here's some (potentially dated) information on expiring passwords:

http://www.microsoft.com/technet/archive/winntas/deploy/confeat/05wntpcb.mspx

Best,
Mic
What kind of a name is 'Wolverine'?
0 Kudos
Anton van Ruitenbeek
Trusted Contributor

‎01-27-2005 12:36 AM

‎01-27-2005 12:36 AM

Re: Forcing password expiration with Advanced Server 7.3A

Jeremy,

I'm missing a point. Are you talking abouw users who are EXTAUTH, but login to VMS or are these users login into Window$ ?
Another question: Why does all the users need to change there passwords if someone is leaving. The only username we will change in these circomstances is SYSTEM ! In which we btw never login to, but just in case.

If you're concern is about people who are logging in into VMS but have EXTAUTH, I don't see a possebilaty to do this in the SYLOGIN. After the user has logged in you can check with ADMIN SHOW USER /FULL on the line 'Password last set' or this is after a certain date. If not, force a set pasword.
Advanced Server will try to syncronize the passwords if all is correct setup.

AvR
NL: Meten is weten, maar je moet weten hoe te meten! - UK: Measuremets is knowledge, but you need to know how to measure !
0 Kudos
Jeremy Begg
Trusted Contributor

‎01-27-2005 12:48 PM

‎01-27-2005 12:48 PM

Re: Forcing password expiration with Advanced Server 7.3A

Thanks again for the various suggestions.

Anton, there are two types of users: some use VMS/DCL exclusively and don't go near Advanced Server; they don't have the EXTAUTH flag. The other type of user has a PC and accesses file shares via Advanced Server and also logs into VMS as an interactive user. These users have the EXTAUTH flag set. I've noticed myself that VMS will attempt to synchronise the SYSUAF password with the A/S password if LOGINOUT detects that the A/S password has changed.

Antonio & Mic - thanks for the suggestions and the links. Useful background information there, for someone like me who has very little experience with a "real" Windows server.

I like your idea too, Jan. We may end up doing something like that in the future.

I think that's enough on this for now. The user in question is leaving today and I don't think we'll have to go through the same exercise for a whlie yet. (This particular user was the PC network sysadmin and, hence he knew way too many passwords :-)

0 Kudos
Jeremy Begg
Trusted Contributor

‎01-27-2005 01:01 PM

‎01-27-2005 01:01 PM

Re: Forcing password expiration with Advanced Server 7.3A

We don't have an ideal solution but I'm putting that down to limitations in Windows & Advanced Server. Give me SYSUAF authentication & security any day :-)
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.