user modify

Syntax

user modify user_name account-valid {yes|no}

user modify user_name password password

user modify user_name password-valid {yes|no}

user modify user_name description description

user modify user_name gsouser {yes|no}

Options

account-valid {yes|no}

Enables or disables the specified user account. A user cannot log in with a disabled account. Valid values are yes and no.

password password

Modifies the user password. The new password must comply with password policies in effect.

When a password is set or changed, the password must comply to:

• The defined Security Access Manager password policy and
• The password policies for any underlying operating systems or user registry.

When the password policy is enforced, Security Access Manager first validates compliance against the Security Access Manager password policy currently in effect. Then, Security Access Manager validates compliance against the underlying user registry. Although a password complies to the defined Security Access Manager policy, it might fail against the password policy of the underlying user registry.

Note: Old passwords can still be used after a password change when:

• You are using Active Directory as your user registry.
• The Active Directory server is running on Windows 2003 SP1 or later.

For more information, see the following web page:

http://support.microsoft.com/?id=906305

password-valid {yes|no}

Validates or invalidates the password for the specified user account. Valid values are yes and no. If the value is no, the password seems expired and the user cannot log in using the password. For a user to log in, an administrator must set the valid state to yes. The user can also authenticate by using another method, such as using a certificate.

Another reason a user might not be able to authenticate with a specified password is because the maximum password age was exceeded. If you check and find that the password-valid is set to yes, then try changing the value for the policy set max-password-age parameter. Only an administrator or a user that has the authority can set the max-password-age policy on a user account. A user cannot set this policy on their own account. This policy sets the maximum time, in days, that a password is valid. Time is relative to the last time the password was changed.

When you change the value for password-valid or reset policy set max-password-age, you do not have to change the password.

If you reset a password, the password-valid parameter automatically switches to back to yes, and the max-password-age parameter resets the age to expire. For example, if the maximum password age is set to 30 days, another 30 days begins from the time you reset the password.

user_name

Specifies the name of the account to be modified. The user must exist, or an error is displayed. A valid user name is an alphanumeric string that is not case-sensitive. If the user is a GSO user, certain characters are not allowed. See Characters disallowed for GSO names for the list of these characters. Examples of user names are dlucas, sec_master, and "Mary Jones"

description description

Specifies any text string that describes the user that is being created. Examples of user description are "Head of department" and "Department number of employee".

gsouser {yes|no}

Enables global sign-on (GSO) capabilities for the specified user. Valid values are yes and no.

Return codes

0

The command completed successfully.

1

The command failed. When a command fails, the pdadmin command provides a description of the error and an error status code in hexadecimal format (for example, 0x14c012f2). See "Error messages" in the IBM Knowledge Center. This reference provides a list of the Security Access Manager error messages by decimal or hexadecimal codes.

See also