On Mon 05-May-2011 11:12 , fbocch2595@xxxxxxx wrote:
Another question is...is there any way for me to verify how long the
*USRPRF was expired after I've changed the password?
AFaIK a DSPUSRPRF taken sometime before having changed the password
[but after the prior change] typically would be required, in order to
see the "Date password last changed" date [and perhaps also the
"Password expiration interval" setting if that also may have changed].
The answer could instead be determined, given [atypically] sufficient
auditing of past changes [and possibly even the creation] of the user
profile of interest; i.e. by a review of all T-CP for the specific user
profile name, the question should be answerable given enough successive
logged history of audited changes remain available.
I experienced a situation that seems much like this scenario... A
program that "fixed" issues both with expiration interval reached and
both default and trivial passwords ran scheduled on a system where I was
eventually asked to investigate when and by-whom a change was made to
give a user profile a trivial password. Unfortunately the program
failed to collect DSPOBJD and DSPUSRPRF output before making the change,
plus auditing was not active :-( With just those two pieces of
information I might have been able to track down the likely responsible
job with the history log, or if available, more directly "when" within
the auditing to look for where the change would have been recorded.
Those pieces of information are since vitiated by the "corrective
action" of CHGUSRPRF to disable the expired user or set the user
password to *NONE; i.e. the last change date of the object now indicates
the correction versus when the problem arose, and a new password resets
the last change date for the prior password.
The lesson... generally best to collect investigative\diagnostic
information before attempting corrective action, because the correction
might change information that is important to the investigation of the
[origin of the] problem to be corrected. Or in the case of something
that is audited, to be sure to have auditing active and maintained.