Results 1 to 8 of 8
  1. #1
    Join Date
    Jun 2004
    Posts
    796
    Provided Answers: 1

    Unanswered: Expiring all passwords

    I am introducing a new security policy for all accounts. I have created the profiles, and also a password verification script (for password complexity). I know how to apply the profiles to more than one user at a time, but I also want to force the users to use the new password complexity rules immediately, by expiring their old passwords & forcing them to enter new ones. I know how to do this to one account, but can it be done to multiple accounts at the same time?
    Last edited by cis_groupie; 08-03-04 at 09:39.
    90% of users' problems can be resolved by punching them - the other 10% by switching off their PCs.

  2. #2
    Join Date
    Dec 2003
    Location
    Buenos Aires, Argentina
    Posts
    86
    What about this...
    Create a new profile with PASSWORD_LIFE_TIME 0 (it means it expires right now, I guess) and add this profile to all the users.
    You better try this with one user and if it works, extend it to the rest of the users.
    Regards,

    Manf

  3. #3
    Join Date
    Jun 2004
    Posts
    796
    Provided Answers: 1
    The problem with that idea is that my users may not log on for some time - if I knew that they would all log on, say, tomorrow, then I could set the life_time to 0, wait until tomorrow evening, & then change the life_time back to what I want (e.g. 30 days), knowing that I would 'catch' all of them. However, knowing that my users will not all log on tomorrow (holidays, sick, working practice, laziness etc), if I set the life_time to 0 then the users will have to enter a new password every time they log on until each & everyone of them has logged on & I can change the life_limit to 30 days.

    What I was hoping to do was to do this using the accounts instead of the profile - 'expire password now' for all of them, then it doesn't matter how long it takes for them to log on. Now, having typed all of this out, I've been hit by a little bolt of lightning - instead of using OEM & changing one account at a time, how about using SQL & set DBA_USERS.Account_Status = 'EXPIRED' for all users!

    (unless someone knows why this won't work...)
    90% of users' problems can be resolved by punching them - the other 10% by switching off their PCs.

  4. #4
    Join Date
    Feb 2004
    Location
    Dallas, TX
    Posts
    5

    AIX Password rollover script

    1.) Get list of users from /etc/passwd cut and paste the names only and put in a file, ‘userinput’.

    2.) Vi a file to run the following script!!

    for x in $(cat /tmp/sal/userinput);
    do pwdadm -f ADMCHG $x;
    done;

    3.) Make it executable!

  5. #5
    Join Date
    Aug 2003
    Location
    Where the Surf Meets the Turf @Del Mar, CA
    Posts
    7,776
    Provided Answers: 1
    >AIX Password rollover script
    AFAIK, what is/was being discussed are the Oracle DB passwords.
    You can lead some folks to knowledge, but you can not make them think.
    The average person thinks he's above average!
    For most folks, they don't know, what they don't know.
    Good judgement comes from experience. Experience comes from bad judgement.

  6. #6
    Join Date
    Feb 2004
    Location
    Dallas, TX
    Posts
    5

    AIX Password rollover script

    My way bad, I realized this after I hit enter !!

  7. #7
    Join Date
    Jun 2004
    Location
    Liverpool, NY USA
    Posts
    2,509
    set echo off
    set pagesize 0
    set head off
    spool c:\users.sql

    select 'ALTER USER '||username||' EXPIRE PASSWORD;'
    from dba_users
    where username not in ('SYS','SYSTEM','EXP',''OUTLN','DBSNMP');

    spool off;


    Edit the file c:\users.sql to remove ANY user name that you don't want expired, then

    @c:\users.sql
    Bill
    You do not need a parachute to skydive. You only need a parachute to skydive twice.

  8. #8
    Join Date
    Jun 2004
    Posts
    796
    Provided Answers: 1
    Such a simple solution yet so good! Thanks, all, for your help - I think I'll give beilstwh's suggestion a tryout, as I'm running on W2K (I know, Unix is better, but I've got to take what the company gives me)

    Thank you!
    90% of users' problems can be resolved by punching them - the other 10% by switching off their PCs.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •