ADD, Qualifiers, /FLAGS
*Conan The Librarian (sorry for the slow response - running on an old VAX)
|
Library /sys$common/syshlp/uafhelp.hlb ADD, Qualifiers, /FLAGS *Conan The Librarian (sorry for the slow response - running on an old VAX) |
|
/FLAGS=([NO]option[,...])
Specifies login flags for the user. The prefix NO clears the
flag. The options are as follows:
AUDIT Enables or disables mandatory security
auditing for a specific user. By default,
the system does not audit the activities of
specific users (NOAUDIT).
AUTOLOGIN Restricts the user to the automatic login
mechanism when logging in to an account.
When set, the flag disables login by any
terminal that requires entry of a user name
and password. The default is to require a user
name and password (NOAUTOLOGIN).
CAPTIVE Prevents the user from changing any defaults
at login, for example, /CLI or /LGICMD. It
prevents the user from escaping the captive
login command procedure specified by the
/LGICMD qualifier and gaining access to the
DCL command level. See Guidelines for Captive
Command Procedures in the OpenVMS Guide to
System Security.
The CAPTIVE flag also establishes an
environment where Ctrl/Y interrupts are
initially turned off; however, command
procedures can still turn on Ctrl/Y
interrupts with the DCL command SET CONTROL=Y.
By default, an account is not captive
(NOCAPTIVE).
DEFCLI Restricts the user to the default command
interpreter by prohibiting the use of the /CLI
qualifier at login; the MCR command can still
be used. By default, a user can choose a CLI
(NODEFCLI).
DISCTLY Establishes an environment where Ctrl/Y
interrupts are initially turned off and are
invalid until a SET CONTROL=Y is encountered.
This could happen in SYLOGIN.COM or in a
procedure called by SYLOGIN.COM. Once a SET
CONTROL=Y is executed (which requires no
privilege), a user can enter a Ctrl/Y and
reach the DCL prompt ($). If the intent of
DISCTLY is to force execution of the login
command files, then SYLOGIN.COM should issue
the DCL command SET CONTROL=Y to turn on Ctrl
/Y interrupts before exiting. By default, Ctrl
/Y is enabled (NODISCTLY).
DISFORCE_PWD_ Removes the requirement that a user must
CHANGE change an expired password at login. By
default, a person can use an expired password
only once (NODISFORCE_PWD_CHANGE) and then
is forced to change the password after
logging in. If the user does not select a
new password, the user is locked out of the
system.
To use this feature, set a password expiration
date with the /PWDLIFETIME qualifier.
DISIMAGE Prevents the user from executing RUN, MCR,
and foreign commands. By default, a user
can execute RUN, MCR, and foreign commands
(NODISIMAGE).
DISMAIL Disables mail delivery to the user. By
default, mail delivery is enabled (NODISMAIL).
DISNEWMAIL Suppresses announcements of new mail at login.
By default, the system announces new mail
(NODISNEWMAIL).
DISPWDDIC Disables automatic screening of new passwords
against a system dictionary. By default,
passwords are automatically screened
(NODISPWDDIC).
DISPWDHIS Disables automatic checking of new passwords
against a list of the user's old passwords.
By default, the system screens new passwords
(NODISPWDHIS).
DISRECONNECT Disables automatic reconnection to an existing
process when a terminal connection has
been interrupted. By default, automatic
reconnection is enabled (NODISRECONNECT).
DISREPORT Suppresses reports of the last login time,
login failures, and other security reports.
By default, login information is displayed
(NODISREPORT).
DISUSER Disables the account so the user cannot log
in. For example, the DEFAULT account is
disabled. By default, an account is enabled
(NODISUSER).
DISWELCOME Suppresses the welcome message (an
informational message displayed during a local
login). This message usually indicates the
version number of the operating system that is
running and the name of the node on which the
user is logged in. By default, a system login
message appears (NODISWELCOME).
EXTAUTH Considers user to be authenticated by an
external user name and password, not by the
SYSUAF user name and password. (The system
still uses the SYSUAF record to check a user's
login restrictions and quotas and to create
the user's process profile.)
GENPWD Restricts the user to generated passwords.
By default, users choose their own passwords
(NOGENPWD).
LOCKPWD Prevents the user from changing the password
for the account. By default, users can change
their passwords (NOLOCKPWD).
PWD_EXPIRED Marks a password as expired. The user cannot
log in if this flag is set. The LOGINOUT.EXE
image sets the flag when both of the following
conditions exist: a user logs in with the
DISFORCE_PWD_CHANGE flag set, and the user's
password expires. A system manager can clear
this flag. By default, passwords are not
expired after login (NOPWD_EXPIRED).
PWD2_EXPIRED Marks a secondary password as expired. Users
cannot log in if this flag is set. The
LOGINOUT.EXE image sets the flag when both
of the following conditions exist: a user logs
in with the DISFORCE_PWD_CHANGE flag set, and
the user's password expires. A system manager
can clear this flag. By default, passwords
are not set to expire after login (NOPWD2_
EXPIRED).
RESTRICTED Prevents the user from changing any defaults
at login (for example, by specifying /LGICMD)
and prohibits user specification of a CLI
with the /CLI qualifier. The RESTRICTED
flag establishes an environment where Ctrl/Y
interrupts are initially turned off; however,
command procedures can still turn on Ctrl/Y
interrupts with the DCL command SET CONTROL=Y.
Typically, this flag is used to prevent an
applications user from having unrestricted
access to the CLI. By default, a user can
change defaults (NORESTRICTED).
|
|
