System Administration Guide: Basic Administration
Previous Next

Maintaining User Accounts (Task Map)

Task

Description

Instructions

Modify a group.

You can modify a group's name or the users in a group by using the Groups tool.

How to Modify a Group

Delete a group.

You can delete a group if it is no longer needed.

How to Delete a Group

Modify a user account.

Disable a user account

You can temporarily disable a user account if it will be needed in the future.

Change a user's password

You might need to change a user's password if the user forgets it.

Set password aging

You can force users to change their passwords periodically with User Account tool's Password Options menu.

How to Disable a User Account

How to Change a User's Password

How to Set Password Aging on a User Account

Delete a user account.

You can delete a user account if it is no longer needed.

How to Delete a User Account

Modifying User Accounts

Unless you define a user name or UID number that conflicts with an existing one, you should never need to modify a user account's user name or UID number.

Use the following steps if two user accounts have duplicate user names or UID numbers:

  • If two user accounts have duplicate UID numbers, use the Users tool to remove one account and add it again with a different UID number. You cannot use the Users tool to modify a UID number of an existing user account.

  • If two user accounts have duplicate user names, use the Users tool to modify one of the accounts and change the user name.

If you do use the Users tool to change a user name, the home directory's ownership is changed, if a home directory exists for the user.

One part of a user account that you can change is a user's group memberships. Select the Properties option from Users tool's Action menu to add or delete a user's secondary groups. Alternatively, you can use the Groups tool to directly modify a group's member list.

You can also modify the following parts of a user account:

  • Description (comment)

  • Login shell

  • Passwords and password options

  • Home directory and home directory access

  • Rights and roles

Disabling User Accounts

Occasionally, you might need to temporarily or permanently disable a user account. Disabling or locking a user account means that an invalid password, *LK*, is assigned to the user account, preventing future logins.

The easiest way to disable a user account is to lock the password for an account with Users tool.

You can also enter an expiration date in the account availability section of the User Properties screen. An expiration date enables you to set a limit on how long the account is active.

Other ways to disable a user account: set up password aging or change the user's password.

Deleting User Accounts

When you delete a user account with the Users tool, the software deletes the entries in the passwd and group files. In addition, the files in the user's home directory and mail directory are deleted also.

How to Modify a Group

Use the following procedure to modify a group.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the Solaris Management Console.
    # /usr/sadm/bin/smc &

    For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment.

  3. Click the This Computer icon under the Management Tools icon in the Navigation pane.

    A list of categories is displayed.

  4. (Optional) Select the appropriate toolbox for your name service environment.
  5. Click the System Configuration icon.
  6. Click the User icon.
  7. Provide the superuser password or the role password.
  8. Click the Groups icon.
  9. Select the group to modify.

    For example, select scutters.

  10. Modify the selected group in the Group Name: text box. Click OK when you are finished.

    For example, change scutters to scutter.

    All the users that were in the scutters group are now in the scutter group.

How to Delete a Group

Use the following procedure to delete a group.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the Solaris Management Console.
    # /usr/sadm/bin/smc &

    For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment.

  3. Click the This Computer icon under the Management Tools icon in the Navigation pane.

    A list of categories is displayed.

  4. (Optional) Select the appropriate toolbox for your name service environment.
  5. Click the System Configuration icon.
  6. Click the User icon.
  7. Provide the superuser password or the role password.
  8. Click the Groups icon.
  9. Select the group to delete.

    For example, select scutter.

  10. Click OK in the popup window.

    The group is removed from all the users who were a member of this group.

Administering Passwords

You can use the Users tool for password administration. This tool includes the following capabilities:

  • Specifying a normal password for a user account

  • Enabling users to create their own passwords during their first login

  • Disabling or locking a user account

  • Specifying expiration dates and password aging information


Note - Password aging is not supported by the NIS name service.


Using Password Aging

If you are using NIS+ or the /etc files to store user account information, you can set up password aging on a user's password. Starting in the Solaris 9 12/02 release, password aging is also supported in the LDAP directory service.

Password aging enables you to force users to change their passwords periodically or to prevent a user from changing a password before a specified interval. If you want to prevent an intruder from gaining undetected access to the system by using an old and inactive account, you can also set a password expiration date when the account becomes disabled. You can set password aging attributes with the passwd command or the Solaris Management Console's Users tool.

For information about starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role.

How to Disable a User Account

Use the following procedure if you need to disable a user account.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the Solaris Management Console.
    # /usr/sadm/bin/smc &

    For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment.

  3. Click the This Computer icon under the Management Tools icon in the Navigation pane.

    A list of categories is displayed.

  4. (Optional) Select the appropriate toolbox for your name service environment.
  5. Click the System Configuration icon.
  6. Click the User icon and provide the superuser password or the role password.
  7. Click the User Accounts icon.
  8. Double–click the user.

    For example, select scutter2.

  9. Select the Account is Locked option in the Account Availability section of the General tab features.
  10. Click OK.

How to Change a User's Password

Use the following procedure when a user forgets her password.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the Solaris Management Console.
    # /usr/sadm/bin/smc &

    For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment.

  3. Click the This Computer icon under the Management Tools icon in the Navigation pane.

    A list of categories is displayed.

  4. (Optional) Select the appropriate toolbox for your name service environment.
  5. Click the System Configuration icon.
  6. Click the User icon.
  7. Provide the superuser password or the role password.
  8. Click the User Accounts icon, then double–click the user who needs a new password.

    For example, select scutter1.

  9. Select the Password tab, then select the User Must Use This Password at Next Login option. .
  10. Enter the user's new password and click OK.

How to Set Password Aging on a User Account

Use the following procedure to set password aging on a user account.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the Solaris Management Console.
    # /usr/sadm/bin/smc &

    For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment.

  3. Click the This Computer icon under the Management Tools icon in the Navigation pane.

    A list of categories is displayed.

  4. (Optional) Select the appropriate toolbox for your name service environment.
  5. Click the System Configuration icon.
  6. Click the User Accounts icon and provide the superuser password or the role password.
  7. Click the User Accounts icon.
  8. Double–click the user, then select the Password Options tab.

    For example, select scutter2.

  9. Select the Password Options tab.
  10. Select the appropriate Password Options in Days option and click OK.

    For example, select Users Must Change Within to set a date when the user must change his or her password.

How to Delete a User Account

Use the following procedure to remove a user account.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the Solaris Management Console.
    # /usr/sadm/bin/smc &

    For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment.

  3. Click the This Computer icon under the Management Tools icon in the Navigation pane.

    A list of categories is displayed.

  4. (Optional) Select the appropriate toolbox for your name service environment.
  5. Click the System Configuration icon.
  6. Click the User icon.
  7. Provide the superuser password or the role password.
  8. Click the User Accounts icon.
  9. Double–click the user account to be removed.

    For example, select scutter4.

  10. Click Delete in the popup window if you are sure you want to remove the user account.

    You are prompted to remove the user's home directory and mailbox contents.

Previous Next