Locking user accounts

The Security Administrator can manually lock or unlock a user account at any time. By default, the superuser is exempt from the system-wide policy for manual or automatic account locking.

When a system is created, a single local user with Security Administrator privileges, called superuser, is created. The superuser contains maximum privileges to complete system setup and configuration. For new systems, the default superuser password must be changed on first login to the system. Although the superuser cannot be deleted, you may want to lock or disable the superuser to prevent access to the system. In addition, the following system-wide policies can be set:
  • Automatic lock after (0-10) consecutive failed login attempts. A value of 0 means that the account does not lock because of failed login attempts.
  • Set length of time auto-lock applies for (0-10080) minutes (7 days maximum). A value of 0 means that the account remains locked out indefinitely.
  • Superuser account can be locked from general login.
User account can be manually locked using the chuser command, or automatically locked depending on the locking policy defined on the system.

Locking the superuser account

For systems with a dedicated technician port, the system supports locking the superuser account for environments with strict security requirements.

The superuser account is the only account on the system that can complete these tasks:

  • The superuser account is the only user that exists in service mode and can access the service assistant or run or view service-related command-line operations (or satask sainfo commands).
  • The superuser account is the only user that can run the system recovery procedure and the backup and restore system configuration procedure.
Other Security Administrator accounts cannot complete these tasks if the superuser account becomes locked. If Allow locking of the superuser account is checked on the Password Policy page, these critical actions are disabled.
If you plan to allow the superuser account to be locked, ensure that you complete the following tasks on the system:
Enable Support Assistance
Support assistance enables support personnel to access the system either remotely from the support center, or locally from a console. If the superuser account is locked, a support person can log in to service the system when Support Assistance is enabled.
Ensure that password reset for the superuser account is enabled
You must ensure that the superuser password can be rest if you plan on allowing locks on the superuser account. This feature is enabled by default. If this feature is not enabled, unlocking the account by resetting the password on the service assistant GUI or service command-line interface is not possible. Use the command svctask setpwdreset -enable to enable this feature.
Ensure that an account with the role of SecurityAdmin exists
Ensure that a separate account with the user role of SecurityAdmin exists, either locally or on a remote LDAP server. This account can be used to unlock the superuser account.
The following table describes different use cases where the superuser account is locked and the possible recovery actions:
Locked superuser use case Recovery action
Superuser account is locked after specified failed login attempts for a specified lockout time period. Wait for the specified time for the lockout to expire and reattempt log in.
Superuser account is locked after the specified login attempts but an indefinite lockout was selected,
or
superuser account is manually disabled because it is not intended for use.
Complete one of these tasks to unlock the superuser account:
  • Manually unlock the superuser account that uses another account with the SecurityAdmin user role.
  • Create a remote support assistance request.
  • Use the technician port to access the service assistant GUI.
  • Use a USB to run (satask) commands. For more information, see satask.txt commands.
Superuser account is locked after two person integrity (TPI) is enabled. Complete one of these tasks to unlock the superuser account:
  • Disable TPI.
  • Request remote support assistance.
  • Use the technician port to access the service assistant GUI.