The Four Hundred

For auditing and administration, you usually have to examine your OS/400 user profiles in relationship to one another. That's because the more serious administrative questions revolve around discovering which profiles exhibit the characteristics you are searching for. You may need to know which user profiles have default passwords, which profiles are disabled, or which users belong to which group profile membership lists. These questions can be difficult to answer if you don't know where the information resides.

To get more mileage out of your user profiles, here are some simple tips for retrieving common profile information by using everyday tools on either the OS/400 5250 green-screen or the Windows desktop.

Use the green-screen Analyze Default Password (ANZDFTPWD) command for this one. Under this command, you can either list all your default passwords or disable all the default password users from signing on to your system. There are some pros and cons to this method, so be sure to read "Dealing with Default Passwords," which examines ANZDFTPWD in depth.

How can you create a file containing all OS/400 user profile names and their configurations?

This is fairly easy if you use the green-screen Display User Profile (DSPUSRPRF) command for all users and specify that the output should be redirected to an OS/400 file. Here's an example of how to use DSPUSRPRF to create an OS/400 user profile information file:

After running this command, the QGPL/USERPRF file contains all the information that was entered through the green-screen Work with User Profiles (WRKUSRPRF) command or through Operations Navigator's New User panel. The only downside I've seen in creating the USERPRF file is that it's not obvious which file layout the user profile output file is based on. So you may have to match individual field names and values to OS/400 user profile attributes yourself.

Which user profiles has OS/400 recently disabled when the user reached the maximum number of sign-on attempts allowed, as defined in the QMAXSIGN system value?

(See "Dealing with Inactive Jobs" for more information on how to use QMAXSGN.) This problem is easily solved if you created the OS/400 QGPL/USERPRF user profile information file discussed in the last point. By exporting your user profile information to database format, you can search for disabled users by displaying any QGPL/USERPRF record that contains the string *DISABLED in the UPSTAT field. This query can be run on the green-screen by executing the Run Query (RUNQRY) command and using the Record Selection (RCDSLT) parameter, as follows:

Once you enter this command, use the Record Selection screen to tell Query that you only want to view records where the UPSTAT field contains *DISABLED. If you sort your output by last sign-on date (which is contained in the UPPSOD field in QGPL/USERPRF) in descending sequence, you can view the disabled users according to which profile had most recently signed on to your system. (This option is dependent on having OS/400 product number 5722QU1, Query, installed on your machine if you have OS/400 V5R1 or above.)

You can also import the QGPL/USERPRF file into Microsoft Access as a Link Table and then create a query that searches for and displays disabled user profiles.

The easiest way to find this information is by using the iSeries Operations Navigator's Groups function, which resides under the OpsNav Users and Groups tree node. Open the Groups node in OpsNav, and it will show you every single group profile on your system. (This article was tested using the OpsNav version included in Client Access Express for Windows V5R1; other Client Access Express and iSeries Access versions may contain different functionality.) Right-click the Groups node itself and you can add a new group by selecting the New Group option from the pop-up menu that appears. Right-click any particular group profile, select Properties from the pop-up menu, and you can easily add and delete members for your target group profile member list.

There's also a way to view group profile membership on the 5250 green-screen, but it's not as easy to add and remove group members as it is with OpsNav. If you type in the Display Authorized Users (DSPAUTUSR) command in the following way, you can view all the membership lists for each group profile on your system:

If you wanted a printed copy of the group profile membership lists, you would add the OUTPUT(*PRINT) parameter to this command:

To add and remove members from a group profile list on the green-screen, you need to edit each individual user profile in the group by using the Work with User Profiles (WRKUSRPRF) command or the Change User Profile (CHGUSRPRF) command. Because you have to edit each user profile, one at a time, on the green-screen without seeing how the profile lists fit together, this technique isn't nearly as efficient or as fast as using OpsNav's Groups node.

Getting the OS/400 user profile information you need isn't that difficult if you know where to look. I'll cover more administrative techniques in future issues of the Admin Alert, so you can better control and document user profiles.