I have a situation, where I ask for to get a list of all inactive users (expire or locked in last 41 days). I looked into /etc/shadow (no such file in my server). I referred some old threads but not found useful information.
I'm using AIX 5.3 .... I have total 1641 users in server.
Folks ... answer are really appreciated. Thank you.
There is no /etc/shadow on AIX. A similar file is /etc/security/passwd and some others in that directory. The information you are looking for should be in /etc/security/lastlog.
Last edited by zaxxon; 03-22-2011 at 06:05 AM..
Reason: rephrasing
@zaxxon - thanks for reply.
How can I break it in simple to locate only inactive user (expire or locked in last 41 days) from /etc/security/lastlog. I have 1641 user account. Anybody please post some script to make this operation simple. Thank you - Sumit
Here's a script I copied from another forum and quickly tested on one of my boxes:
Code:
#!/usr/bin/ksh
#set -x
#Try this script.
#It will check and lock the accounts automatically for those logins that
#have not been used to s set number of days.
expdays=60 #<< ---- Set number of days in past here!
let expiry=86400*$expdays
locked=" "
LOG_FILE=/tmp/${0}.log
tmp1=/tmp/exp.tmp1.$$
tmp2=/tmp/exp.tmp2.$$
tmp2a=/tmp/exp.tmp2a.$$
tmp3=/tmp/exp.tmp3.$$
# List all users that are allowed to login
lsuser -a login account_locked time_last_login ALL |grep -Ev ^"root|daemon|bin|sys|adm|nobody" | grep "login=true" > $tmp1
# get all users who have logged in at least once with login date
grep 'time_last_login' $tmp1 | sed -e 's/login=true //' -e 's/account_locked=//' -e 's/time_last_login=//' >$tmp2
# get all users who have not logged in since creation
grep -v 'time_last_login' $tmp1 | sed -e 's/login=true //' -e 's/account_locked=//' >$tmp2a
# get today's date in seconds from epoch for comparison
year=`date +%Y`
day=`date +%j`
hour=`date +%H`
minute=`date +%M`
let today="($year - 1970) * 365 * 86400 + ($day - 1) * 86400 + $hour * 3600 + $minute * 60 + ($year - 1969) / 4 * 86400"
# for each user found, check whether has not been unused too long
cat $tmp2 |while read user locked last; do
let min=$today-$expiry
if [[ $min -gt $last ]]; then
let login="($today - $last) / 86400"
echo $user':'$login':'$locked >> $LOG_FILE
#chuser shell='/usr/local/bin/locked' account_locked='true' $user
fi
done
# Remove the tmp files
rm $tmp1
rm $tmp2
rm $tmp2a
Once everything looks good in the LOG_FILE, you can uncomment the "chuser" line if you want to start locking them.
As a start, this will filter out all accounts that didn't log in the last 41 days.
Bear in mind, that this will also list technical user, for example for daemons, as they never logged in, most probably.
This script works. I was able to create a text file for inactive user. Thanks a tone.
Quote:
Originally Posted by kah00na
Here's a script I copied from another forum and quickly tested on one of my boxes:
Code:
#!/usr/bin/ksh
#set -x
#Try this script.
#It will check and lock the accounts automatically for those logins that
#have not been used to s set number of days.
expdays=60 #<< ---- Set number of days in past here!
let expiry=86400*$expdays
locked=" "
LOG_FILE=/tmp/${0}.log
tmp1=/tmp/exp.tmp1.$$
tmp2=/tmp/exp.tmp2.$$
tmp2a=/tmp/exp.tmp2a.$$
tmp3=/tmp/exp.tmp3.$$
# List all users that are allowed to login
lsuser -a login account_locked time_last_login ALL |grep -Ev ^"root|daemon|bin|sys|adm|nobody" | grep "login=true" > $tmp1
# get all users who have logged in at least once with login date
grep 'time_last_login' $tmp1 | sed -e 's/login=true //' -e 's/account_locked=//' -e 's/time_last_login=//' >$tmp2
# get all users who have not logged in since creation
grep -v 'time_last_login' $tmp1 | sed -e 's/login=true //' -e 's/account_locked=//' >$tmp2a
# get today's date in seconds from epoch for comparison
year=`date +%Y`
day=`date +%j`
hour=`date +%H`
minute=`date +%M`
let today="($year - 1970) * 365 * 86400 + ($day - 1) * 86400 + $hour * 3600 + $minute * 60 + ($year - 1969) / 4 * 86400"
# for each user found, check whether has not been unused too long
cat $tmp2 |while read user locked last; do
let min=$today-$expiry
if [[ $min -gt $last ]]; then
let login="($today - $last) / 86400"
echo $user':'$login':'$locked >> $LOG_FILE
#chuser shell='/usr/local/bin/locked' account_locked='true' $user
fi
done
# Remove the tmp files
rm $tmp1
rm $tmp2
rm $tmp2a
Once everything looks good in the LOG_FILE, you can uncomment the "chuser" line if you want to start locking them.
Goal: To disable a Solaris user, after that user was inactive for X days.
My understanding for linux was that there was no systematic way to disable inactive users, therefore we had to set a password expiration via /etc/default/passwd, MaxWeeks; then in /etc/default/useradd (/etc/shadow), the... (1 Reply)
Hello,
I am testing sudo and I want to test it. Can anyone please let me know few commands (of course other than shutdown, reboot etc. as I can't reboot the box) on AIX that can be run by ROOT only.
Thanks
---------- Post updated at 07:43 PM ---------- Previous update was at 07:38 PM... (5 Replies)
I want to learn AIX. I would like to find someone who would be willing to give me a login to their AIX home lab server. My intent is to poke around and discover the similarities and differences of AIX compared to other *NIXs.
I am a UNIX admin so I can think of what some immediate concerns may... (1 Reply)
Hi,
I can list active subservers of subsystem by issuing "lssrc -l -s somesubsystem"
How do I list inactive subservers or at least all subservers(active+inactive) of certain subsystem ?
thanks
Vilius (3 Replies)
Hi,
Can I get a script to list out all the users, who has not logged on since last 90 days. Last command in not working due due to /var/adm/wtmpx is more than 2 GB.
Thanks in advance.
Regards,
Roni (10 Replies)
Is this possible?
Say I create an account today and in 90 days I want it to be turned off.
Is this sort of thing possible using the built in components of a Unix system?
(Using Solaris 9)
I see things about password expires, but what if the person changes his password on the 89th day,... (1 Reply)
I am just wondering if there is a way I can obtain a free shell account for an AIX server that I can make test drive on it. I tried google search and ibm's web site but couldn't find anything..
regards, (2 Replies)
I have SCO OpenServer release 5
I used TIMEOUT and TMOUT in .profile but I donīt Know if is correctly
WND=/usr/synergy/dbl
DTKMAPFIL=/u/ics/icsdat/icsmap.ics
umask 000 ... (1 Reply)