AS/400 User Profile Disabling

5 pts.
Tags:
AS/400 security
AS/400 user profiles
i520
iseries v5r4
V5R3
Two weekends ago I upgraded our i520 from OS V5R3M0 to V5R4M0 and ever since we have had problems with user profiles becoming disabled. These are not because of incorrect password either, as many users are ones who use the system daily and have had no previouse issues with passwords.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Have a look at the system values to see if there might be a reason that they are being diabled easier than they were before the upgrade. If you had spooled the system values before the upgrade (This is a good idea!) compare the current to the old settings:

WRKSYSVAL SYSVAL(*SEC) OUTPUT(*PRINT)

These are the values I would be looking at:

QMAXSGNACN
QMAXSIGN
QSECURITY

Voodoo

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Whatis23
    Other than an activation schedule (which would use scheduled times), the system values are the only OS method which would disable user profiles. The history log will keep a record of every failed login attempt (filter for CPF2234) so if there is nothing listed, you have another issue.
    5,665 pointsBadges:
    report
  • Batman47
    You could be running the ANZDFTPWD command with the *DISABLE parameter which will disable all profiles that use the IBM default password. The ANZPRFACT command will disable profiles (even those that don't use the IBM default for a password) based on the number of days of inactivity that you specify. Use the DSPACTPRFL command to see the number of days a profile is inactive before it becomes disabled. This command will also list the profiles that will be excluded. Use the WRKJOBSCDE command to view your IBM Job Schedule Entries and look for the QSECIDL1 job, which will run the ANZPRFACT command. One other area I can think of is iSeries (or system i or IBM i) Access. If a client has Auto-reconnect checked in their Configuration the session will automatically repeat a sign-on attempt multiple times if there is a problem with the network.... so, if the user enters the incorrect password only once the profile can become disabled if QMAXSGNACN is set to 2 or 3 no matter what you have QMAXSIGN at (hopefully, it's not set to *NOMAX, which would be very poor security). Look further into IBM i Access if the problem is still not found.... using OpsNav, check the properties of the system on a client having this issue. If they are not using 'Prompt every time' to signon then they could be using the Windows password (which may not be the same).
    1,050 pointsBadges:
    report
  • Splat
    If you don't have a QSYSMSG message queue built, do so (create it in QSYS). It will records when a profile is disabled via a failed sign-on attempt - it does not record profiles disabled by ANZPRFACT.
    7,655 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following