Considerations for changing QPWDLVL from 2 to 3

After running the system at QPWDLVL 2 for some period of time, you can consider moving to QPWDLVL 3 to maximize the password security protection.

At QPWDLVL 3, all IBM® i NetServer LAN manager passwords are cleared so a system should not be moved to QPWDLVL 3 until there is no need to use IBM i NetServer LAN manager passwords. LAN manager passwords are used to communicate with IBM i Support for Windows Network Neighborhood (IBM i NetServer) product and only affects Windows 95/98/ME clients. The LAN manager passwords have been disabled by Windows since Vista so removing them will not affect current versions of Windows.

At QPWDLVL 3, all password level 0 and 1 passwords are cleared. The administrator can use the DSPAUTUSR or PRTUSRPRF command to locate user profiles which don't have password level 2 or 3 passwords associated with them.

A change to the QPWDLVL system value takes effect at the next IPL. To see the current and pending password level values, use the Display Security Attributes (DSPSECA) command.