expire accounts with ADMCHG set - Aix

This is a discussion on expire accounts with ADMCHG set - Aix ; Ok new audit requirement -- AIX 5.3--maybe 5.2 -- accounts with ADMCHG set ignore expiration dates. Is there anyway to change this behavior? We create accounts and set an initial passwd with the admchg flag set. The accounts are supposed ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: expire accounts with ADMCHG set

  1. expire accounts with ADMCHG set

    Ok new audit requirement -- AIX 5.3--maybe 5.2 -- accounts with
    ADMCHG set ignore expiration dates. Is there anyway to change this
    behavior?

    We create accounts and set an initial passwd with the admchg flag
    set. The accounts are supposed to expire in 90 days. BUT if the user
    never logs in in that period the accounts do not expire, they can log
    in with the initial passwd at any time in the future and they will
    get in.

    I know this can be scripted but I would prefer something inherent in
    AIX to do the job before I go of the deep end and accidentally lock
    everybody out....
    thanx



  2. Re: expire accounts with ADMCHG set

    On Aug 19, 9:37 am, jthomp1...@yahoo.com wrote:
    > Ok new audit requirement -- AIX 5.3--maybe 5.2 -- accounts with
    > ADMCHG set ignore expiration dates. Is there anyway to change this
    > behavior?
    >
    > We create accounts and set an initial passwd with the admchg flag
    > set. The accounts are supposed to expire in 90 days. BUT if the user
    > never logs in in that period the accounts do not expire, they can log
    > in with the initial passwd at any time in the future and they will
    > get in.
    >
    > I know this can be scripted but I would prefer something inherent in
    > AIX to do the job before I go of the deep end and accidentally lock
    > everybody out....
    > thanx


    according to ibm support there's not. And there's no good builtin date
    routine for minutes from epoch, so this becomes a C exercise or perl
    maybe. Sure wish the OS did this, I hate the idea of scripting mass
    lockouts out of a cron job , no doubt I will whack root or oracle at
    some point.


  3. Re: expire accounts with ADMCHG set

    On Aug 20, 4:37 am, jthomp1...@yahoo.com wrote:
    > Ok new audit requirement -- AIX 5.3--maybe 5.2 -- accounts with
    > ADMCHG set ignore expiration dates. Is there anyway to change this
    > behavior?
    >
    > We create accounts and set an initial passwd with the admchg flag
    > set. The accounts are supposed to expire in 90 days. BUT if the user
    > never logs in in that period the accounts do not expire, they can log
    > in with the initial passwd at any time in the future and they will
    > get in.
    >
    > I know this can be scripted but I would prefer something inherent in
    > AIX to do the job before I go of the deep end and accidentally lock
    > everybody out....
    > thanx


    easiest (!) thing maybe to install "expect" and set the password to
    some pre-agreed standard and that would remove this dependancy.
    I run a weekly AIX audit script (but believe the AIXPert Fileset can
    do this too) where I sniff around all the /etc/security files looking
    for "badness"
    HTH

+ Reply to Thread