Operating System - OpenVMS
1748248 Members
3531 Online
108760 Solutions
New Discussion юеВ

VMS Account identifier change when account expires.

 
SOLVED
Go to solution
Kenneth James_2
New Member

VMS Account identifier change when account expires.

We have instances where a user accounts on our system expire but until now we didn't realize that the identifiers that we added to the account upon creation were no longer there when we reset the user account password. Why does VMS account identifier get deleted when account expires and how do we prevent it in the future?
4 REPLIES 4
Jon Pinkley
Honored Contributor
Solution

Re: VMS Account identifier change when account expires.

What do you mean by "account identifier" and by "account expires"?

The UIC valued identifier that is created by AUTHORIZE when creating a new username does not get deleted when a date passes the time specified by /expiration

Example:

OMEGA$ uaf s field

Username: FIELD Owner: FIELD SERVICE
Account: FIELD UIC: [1,10] ([FIELD])
CLI: DCL Tables: DCLTABLES
Default: SYS$SYSDEVICE:[FIELD]
LGICMD: LOGIN
Flags: DisUser
Primary days: Mon Tue Wed Thu Fri
Secondary days: Sat Sun
Primary 000000000011111111112222 Secondary 000000000011111111112222
Day Hours 012345678901234567890123 Day Hours 012345678901234567890123
Network: ##### Full access ###### ##### Full access ######
Batch: ##### Full access ###### ##### Full access ######
Local: ##### Full access ###### ##### Full access ######
Dialup: ----- No access ------ ----- No access ------
Remote: ##### Full access ###### ##### Full access ######
Expiration: 12-JUN-1999 00:00 Pwdminimum: 8 Login Fails: 0
Pwdlifetime: 30 00:00 Pwdchange: 11-JUN-1999 19:43
Last Login: 11-JUN-1999 19:44 (interactive), 14-JAN-1997 16:48 (non-interactive)
Maxjobs: 0 Fillm: 200 Bytlm: 150000
Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0
Maxdetach: 0 BIOlm: 512 JTquota: 8192
Prclm: 2 DIOlm: 512 WSdef: 150
Prio: 4 ASTlm: 24 WSquo: 1024
Queprio: 0 TQElm: 200 WSextent: 0
CPU: (none) Enqlm: 5000 Pgflquo: 100000
Authorized Privileges:
ALLSPOOL DIAGNOSE GROUP GRPNAM LOG_IO NETMBX
OPER PHY_IO PRMCEB PRMMBX SETPRV TMPMBX
Default Privileges:
ALLSPOOL DIAGNOSE GROUP GRPNAM LOG_IO NETMBX
OPER PHY_IO PRMCEB PRMMBX SETPRV TMPMBX
OMEGA$

This account has expiration set to "12-JUN-1999 00:00" but the identifier FIELD is still there (with value UIC:[1,10])

You may have some third party application that is removing accounts, and when a username is removed, the identifier associated with the UIC is removed as well, unless you specify /NOREMOVE_IDENTIFIER

Jon
it depends
Hoff
Honored Contributor

Re: VMS Account identifier change when account expires.

Username expiration is unrelated to security identifiers, and simple username expiration does not remove identifiers.

Is this a cluster? Are all required files shared, per (V7.2 and later) SYLOGICALS.TEMPLATE file. Without the proper files shared, all manner of weirdnesses can ensue.

I'd expect a configuration issue of some sort here with the files that need be common in a cluster, or the presence of a local or add-on tool or procedure that deletes expired usernames.

Enable security auditing for authorization database changes, set a short expiration on a test account, wait, and watch the show. If that auditing and the above comments do not identify the source, please post up the command(s) used, the username(s) involved, OpenVMS versions and related relevant details.
Hein van den Heuvel
Honored Contributor

Re: VMS Account identifier change when account expires.

>> we reset the user account password.

How is the password reset? With a simple AUTHORIZE MODI commance, or with some script which perhpas re-creates the acocunt?

>> Why does VMS account identifier get deleted when account expires

I don't think VMS would do that.
I suspect there are other forces in play.

fwiw,
Hein.
Kenneth James_2
New Member

Re: VMS Account identifier change when account expires.

It was a third party app that was removing the identifiers.