Auto disable User account if they have not logged in for a month. (803 Views)
Reply
Occasional Advisor
Ankur007
Posts: 7
Registered: ‎11-08-2011
Message 1 of 9 (803 Views)

Auto disable User account if they have not logged in for a month.

I have a requirement to disable User account iautomatically  if they have not logged in for a month , can you help me on this.

Please use plain text.
Trusted Contributor
RBrown_1
Posts: 193
Registered: ‎05-06-2008
Message 2 of 9 (780 Views)

Re: Auto disable User account if they have not logged in for a month.

VMS does not have this capability built in, but it is easy to write a command file to do what you need.

 

First, get the freeware GETUAI from ftp://ftp.hp.com/pub/openvms/freeware/getuai or any other place that you like. This program extracts fields from SYSUAF and puts them into DCL symbols. In particular, you could extract the last login date and compare it to today's date. If the last login is too old, then execute an AUTHORIZE command to DISUSER the account.

 

You will need a list of USERNAMEs that this applies to. Either get this list from management, or apply it to all users except special system accounts (like SYSTEM). In the latter case, you can simply read SYSUAF to get a list of USERNAMEs and then use GETUAI to get information about the user.

 

Check the manuals or use the VMS HELP command to learn more. Here are some things you will want to look up:

   OPEN

   READ

   CLOSE

   IF

   LEXICALS F$CVTIME

   AUTHORIZE MODIFY /FLAGS

 

Once you have your command file working, you can use the VMS BATCH system to schedule it to run every midnight or so. Look up the SUBMIT command.

 

HTH

Please use plain text.
Honored Contributor
Hoff
Posts: 4,932
Registered: ‎01-29-2006
Message 3 of 9 (768 Views)

Re: Auto disable User account if they have not logged in for a month.

There's an updated getuai version here.  But dig around on the Freeware in general here, too, as this is very far from the first time somebody's gone looking for this request.  The Google site keyword (eg: /site:decuslib.com other search keywords here/) can target your search.

 

Please use plain text.
Occasional Advisor
Ankur007
Posts: 7
Registered: ‎11-08-2011
Message 4 of 9 (756 Views)

Re: Auto disable User account if they have not logged in for a month.

Thanks for the reply

 

Please use plain text.
Advisor
David R. Lennon
Posts: 24
Registered: ‎06-20-2006
Message 5 of 9 (723 Views)

Re: Auto disable User account if they have not logged in for a month.

We've used the SCANUAF program inside a command procedure to implement a similar security requirement. I would think this would be more appropriate (or easier) than GETUAI...

 

http://vms.process.com/scripts/fileserv/fileserv.com?SCANUAF

 

 

Please use plain text.
Trusted Contributor
RBrown_1
Posts: 193
Registered: ‎05-06-2008
Message 6 of 9 (719 Views)

Re: Auto disable User account if they have not logged in for a month.


David R. Lennon wrote:

We've used the SCANUAF program inside a command procedure to implement a similar security requirement. I would think this would be more appropriate (or easier) than GETUAI...

 


Some years ago I switched from SCANUAF to GETUAI, but I don't remember why ....

Please use plain text.
Honored Contributor
Craig A Berry
Posts: 495
Registered: ‎05-06-2003
Message 7 of 9 (708 Views)

Re: Auto disable User account if they have not logged in for a month.

For yet another way to do it, I prefer Joe Meadows' UAF utility, which I've updated and released at http://code.google.com/p/jmuaf/.  To get a list of users who have not logged in during the last month (and are not already disusered), do:

 

$ uaf/select=(interactive=(17-nov-1858,9-oct-2011), -
noninteractive=(17-nov-1858,9-oct-2011), flags=nodisuser) - /match=and/display=(username,interactive,noninteractive)

 

Inserting the date one month ago today in place of the hard-coded 9-oct-2011 and parsing the output to generate the AUTHORIZE statements to disuser the accounts are left as an exercise for the reader, but they are pretty trivial DCL.

Please use plain text.
Honored Contributor
Hein van den Heuvel
Posts: 6,585
Registered: ‎05-19-2003
Message 8 of 9 (707 Views)

Re: Auto disable User account if they have not logged in for a month.

below a bit (or two) of DCL which generates AUTHORIZE MODIFY commands to DISUSER records before a certain date, which are not disusered already.

 

You may want to consider to also look at 'expiration' date, and non-interactive logins. (BACKUP !?)

 

Usage  

 

$ @UAF_LASTLOGIN.COM /OUT=disuser.tmp  90 ! default 31 days, absolute date also accepted
$ TYPE/PAGE disuser.tmp  ! Review
$ MCR AUTHORIZE @disuser.tmp  ! Execute.

 

Enjoy,

Hein

 

$!
$! uaf_last_login.com    Hein van den Heuvel,August 2007.
$
$! List records from SYSUAF for which the Last Interactive Login
$! before a cutoff_date and is not yet disusered.
$!
$! Provide number of days, or date, as argument. Default 31 days
$
$ IF p1.EQS."" then p1 = 31
$ IF F$TYPE(p1).EQS."INTEGER"
$  THEN cutoff_text = f$cvtime("0:0:0 -''p1'-")
$  ELSE cutoff_text = f$cvtime(p1)
$ ENDIF
$ s = $status
$ IF .NOT.s then $EXIT 's
$
$!libr/extr=$uafdef/out=uafdef.tmp sys$library:lib.mlb
$!sea uafdef.tmp flag...
$!EQU    UAF$Q_LASTLOGIN_I       396
$!EQU    UAF$L_FLAGS     468
$!EQU    UAF$V_DISACNT   4
$
$close /nolog uaf
$open/error=ooops/read uaf 'f$parse("SYSUAF","SYS$SYSTEM:.DAT",,,"SYNTAX_ONLY")
$
$ found = 0
$ records = 0
$loop:
$ records = records + 1
$ read/nolock/end=done uaf rec
$ username=f$extr(4,12,rec)
$ IF f$cvsi(468*8+4,1,rec) THEN GOTO loop ! disuser already ?
$
$ lastlogin_binary  = F$EXTR(396,8,rec)
$ lastlogin_date = F$FAO("!%D",f$cvui(32,32,f$fao("!AD",8,lastlogin_binary)))
$ lastlogin_text = F$CVTIME(lastlogin_date)
$
$ IF lastlogin_text .GTS. cutoff_text THEN GOTO loop
$
$! At this point we have a record which was not dis-usered,
$! and the user has not recently logged in. Policy says to disable the account.
$
$ text = "Last Login " + lastlogin_date
$ IF f$cvsi(0,32,lastlogin_binary) .EQ. 0 THEN text = "Never logged in."
$
$ WRITE sys$output "MODIFY ''username' /FLAG=DISUSER !" + text
$ username = ""
$ found = found + 1
$ goto loop
$
$done:
$WRITE sys$output "! found ", found, " targets. Total records: ", records
$close uaf
$ooops:
$exit '$status

 

 

 

Please use plain text.
Occasional Advisor
John_Malmberg
Posts: 5
Registered: ‎10-06-2011
Message 9 of 9 (696 Views)

Re: Auto disable User account if they have not logged in for a month.

The first step is to set up identifiers to categorize the users and grant them the appropriate accounts.

 

These allow you to select the records for the users that are candidates to be disabled.  Otherwise you could take out an account used for special purposes.

 

I also add identifiers to indicate the special accounts.

 

You also need to look at the batch and network and other access times.  I have seen many users incorrectly disabled because they only had network access.

 

As long you are doing the reports, you should also be checking for extra privileged and uncategorized accounts.

 

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation