Reenabling a Disabled Netserver User--It's Easier Than You Think

Article ID: 58324
Posted August 5th, 2009
in
By:
Dan Riehl

I was alerted the other day that after a change of help desk special authorities, one of my clients was getting repeated authority failures when the help desk users were attempting to reset disabled Netserver users.

In a bit of an anomaly, a user can become disabled for Netserver use while still having an *ENABLED user profile. Netserver disables a user after too many bad logon attempts, but that doesn't actually *DISABLE the user profile; it disables the user profile only from using Netserver, which is used for System i network file and print sharing.

When I inquired as to how the help desk was attempting to reenable the Netserver users, the answer was that they were using System i Navigator (Ops Nav) Network|Server|TCP/IP|Netserver|Open|Disabled User IDs. As a security consultant, I was immediately taken aback that the help desk would have that kind of access to the TCP/IP and Host servers operation and configuration. I wondered what other powerful facilities they had been authorized to use.

To make a very long story short, you can reenable a disabled Netserver user by simply typing the command:

CHGUSRPRF MYUSER

and pressing Enter.

You don't need to change any attribute of the profile. Simply using the CHGUSRPRF command will update the user profile and magically reenable the user for Netserver use.

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Reddit
  • Newsvine
  • Facebook
  • Google
  • Yahoo
Posted on August 21st, 2009 tips@scottkleme... says:

@denseeks: CHGUSRPRF with no parameters (aside from user profile name, obviously) works for me. That assumes of course that the profile is only disabled for NetServer. If it's disabled for everything, (i.e. STATUS(*DISABLED)) then you'll have to change it to *enabled, of course. But if it's only disabled for NetServer, just CHGUSRPRF no other parameters works fine.

Posted on August 21st, 2009 denseeks says:
Managed to test this in V5R4 this week. Unfortunately I didn't get the same result as what this article says. A chgusrprf command with no other parameters does nothing to enable a disabled NetServuser ID. Not sure anybody else has proven this to be right!
Posted on August 5th, 2009 tips@scottkleme... says:

Carsten Flensburg also wrote a utility related to this a few years back:
http://systeminetwork.com/article/apis-example-list-and-enable-disabled-netserver-users

Posted on August 5th, 2009 denseeks says:
I remember testing this (V5R4) a few months back, and my conclusion was the CHGUSRPRF command must change the password field before the Netserver ID will be re-enabled. Changing a few other fields such as ID Description doesn't help. But seeing this advice from a security expert probably invalidates my conclusion. Will have to test it out again.
Posted on August 5th, 2009 kreigl@pvh.com says:
IBM has a "green screen" utility that has an option to enable NetServer users. Here is the URL http://www-03.ibm.com/systems/i/software/netserver/qusrtool.html Ken
Posted on August 5th, 2009 donkennedy says:
Thanks for the tips, Dan. Been on the system for 15 years and I learned something new.
Posted on August 5th, 2009 ppriolo@hteinc.com says:
Good tip. I never gave it to my helpdesk, but then again my staff had to deal with it. While trying it out I found an anomaly. I went to iNav and found 3 disabled profiles. I did a CHGUSRPRF on one, then updated my iNav list and it was still there. I did the second one and the first disappeared, which I think was a coincidence. While I was trying to puzzle it out, the first one came back. In this case I found the message for the user in QSYSOPR, so it made sense. Bottom line is, while it might fix the user, it doesn't seem to update whatever iNav looks at. Still a good tip though, since it fixes the issue and the helpdesk wouldn't know any better.

ProVIP Sponsors

ProVIP Sponsors