Force user profile to change their password on as/400
Hi ,
I need to force certain users to change theier passwords for every 45 days,if they not theri user profile should be disable.
Do we have any options to do it from green screen.
Thanks in advance
Version:v5r3
Software/Hardware used:
I need to force certain users to change theier passwords for every 45 days,if they not theri user profile should be disable.
Do we have any options to do it from green screen.
Thanks in advance
Version:v5r3
Software/Hardware used:
ASKED:
June 9, 2010 8:06 AM
UPDATED:
July 4, 2010 9:46 PM
Answer Wiki:
yes there is...
check out this wrksysval *sec qpwdexpitv
I think that with this system value you only force to expirer the pwd but to disaled the usrprf you will need to create a pgm that check the user and disaled the ones with expired pwd.
=====================================================
First, set system value QPWDEXPITV to whatever it should be set system-wide. Then set PWDEXPITV() to 45 days for the "certain users" that need that setting. That prepares the system for the basic programming that follows.
On a daily basis, run a simple program that does DSPUSRPRF *ALL OUTPUT(*OUTFILE) and read through the file. The records will tell you if a profile has a 45-day password limit and if the password has expired. If so, then run CHGUSRPRF STATUS(*DISABLED) for that user.
The profiles with 45-day password expiration limits will already have expired passwords, but the programming also disables them.
Tom
To see all answers submitted to the Answer Wiki: View Answer History.
thanks for quick replay….
i belive the above command affects all the user profiles…but i want it to be only for the cetain users..(not for all)
thanks again.
i belive the above command affects all the user profiles…but i want it to be only for the cetain users..(not for all)
Then you should review the PWDEXPITV() attribute of individual user profiles. The attribute defaults to *SYSVAL which refers to the QPWDEXPITV system value; but you can set values for individuals.
However, the rest of your question — to disable them if they don’t change their password in the interval specified — takes additional steps.
Tom
When a user’s password has expired, the system does not allow them to log on until a new password is supplied. Fortunately, the system reminds the user at that time and presents the necessary screens for the password change. From the user’s point of view, this has the same effect as a disabled account, i.e. no access to the system.
This may achieve the desired effect without writing any special code.
I think you should do GO SECTOOLS. The options 2, 3 and 4 on the menu are the ones you need to look into. Option 4 submits a job that will execute an action (eg DISABLE) against profiles that have not been active for a number of days. Option 3 allows you to setup a list of profiles that are excluded from these actions.
If I am not mistaken option 4 even will schedule the checking and disabling job to run on a daily basis. You will have to verify this, but I think that is the solution you are looking for: no extra programming, just a quick setup and done.
When a user’s password has expired, the system does not allow them to log on until a new password is supplied.
That’s true. However, it’s not clear if that’s sufficient. A profile with expired password can still be logged on to by supplying a new password. But a disabled profile can’t be logged on to until the profile is *ENABLED.
If there is a requirement to set the profile as *DISABLED, additional programming is needed.
Option 4 submits a job that will execute an action (eg DISABLE) against profiles that have not been active for a number of days.
That is also true. But it doesn’t address the question. A profile that hasn’t been used is different from a profile that’s regularly used but doesn’t have a changed password.
Tom
We use a combination of QPWDEXPITV and a daily scheduled run of the ANZPRFACT.