Enabling disabled password in AS/400

1480 pts.
AS/400 passwords
We have been of late getting number of mails where in user password gets disabled and they send us mail after which we enable the id. Is it possible by any which way that the we ask user to reply to few questions enters some information which is cross checked and if found ok the id gets enabled as is done with normal banking accounts and demat accounts.

Software/Hardware used:
i series , as400

Answer Wiki

Thanks. We'll let you know when a new response is added.

Assuming that the user profile is being disabled due to the QMAXSIGN system value threshold being exceeded, then the answer is “kind of”.

Vendor response follows:

For my eXtreme CL Message Monitor product I provide a scenario where QMAXSIGN is exceeded and the user profile is re-enabled (along, when necessary, with varying back on the device description as quite often the display device will also be varied off).

The sample scenario doesn’t actually prompt the user with security-related questions (it is after all just a sample lol), but the general approach should work with some changes.

The user program which receives control upon a user profile going disabled due to QMAXSIGN is not running in a job associated with the display device where the user is attempting to signon (there is no user job associated with the display as they haven’t signed on yet). So your program would need to acquire the display (which should work fine as the display device is at the signon panel though you may need to vary the device back on also — easily enough done) and then prompt the user with the security questions. If they answer correctly the program re-enables the user profile and releases the display. The user should now see the signon panel and try their password again.

The one caution is that the user may have walked away from the terminal. So you will most likely want a command key enabled to get (the next user) off of your security prompt panel, have the program prepared for the device to “now” be in use (someone else signed on in the (hopefully) brief period of time between profile disabled and your program getting control), verify that the *usrprf being re-enabled is indeed disabled (again due to a different user potentially being at the display), etc.

If you are interested in using this type of approach I would enjoy hearing from you directly — this could be a nice little add on product for me too :). The eXtreme CL Message Monitor support is ready to go but not currently on the web site (<a href=”http://powercl.com/xcl/about-xcl”>here</a>) due to other work keeping the web manager busy. The support provides for you defining message conditions to trigger the calling of your program(s) — or sending a user formatted message to a user specified *DTAQ or running a command though I believe you would want to use the program call support — and for the generation of a stub version of your program(s).

For an eXtreme CL approach your system will need to be at V5R4 or later.

End of vendor response.

The “kind of” I mentioned earlier is due to the small timing window between the user profile being disabled and your program getting to the device. It’s not like the system has a direct exit to your program from the signon panel.



Be aware that “bypass signon” configurations may make it tricky to ‘acquire’ the appropriate devices. If the session connection cannot be established due to profile/password problems, there might be no device available to acquire.

See these three questions for more info about your question:



I suggest you to write a customized CL program which will access the database for anything you put (like Q&A) and write the logic to check if the user enters the correct value then proceed to get the user ID enabled based on that.

Hope this will clear your doubt.

Discuss This Question: 4  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • TomLiotta
    Can you clarify the "disabled" problem? In both the title and the question, the reference is to "disabled password". But passwords don't get disabled -- profiles get disabled. Passwords get expired. So, either the word 'disabled' was used in place of 'expired' or 'password' was used in place of 'profile'. Can you clarify the precise situation, please? Tom
    125,585 pointsBadges:
  • bvining
    Vendor response. If you're interested, I have a reasonably functional solution for the problem you described. It's not complete in that 1) I haven't put in any help text and 2) the programs currently assume that the same display type (CCSID if you will) is used when setting a challenge answer and later providing the challenge answer (that is, don't go outside of A-Z, 0-9, etc in the question answer if the user has international tendencies), but it works well enough for some testing. The user can select a question, from twenty question choices, to answer; the answer is not stored anywhere in clear text form; and, when the profile is disabled from the signon panel, the user is presented with a panel asking if they want to reset their password. If yes and they successfully answer the posed question (two tries) then the password can be left as it was with the profile being re-enabled or a temporary password can be assigned (which they are required to then change upon successfully signing on to the system). This approach assumes that the user is still on the signon panel when their profile becomes disabled -- which may or may not be a reasonable assumption depending on your configuration. If you would like to do some testing please let me know. End vendor response. Bruce Vining
    7,070 pointsBadges:
  • JohnsonMumbai
    Hi Tom, You are right the sentence should read as user profile gets disabled. Iam second thoughts on implementing the same as i dont think our IT security would enable this function on our Production system. Regards. Johnson
    1,480 pointsBadges:
  • Amvit
    Hi there, We implemented this using a product called FastPass Password Manager http://www.fastpasscorp.com. Works great - your users will have to have an AD account to get it working. They can either sync the passwords from AD or let the user select a target to password reset - eg. SAP iSeries. Uses Challenge response and SMS pin for auth. Anders
    40 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: