11-21-2009 7:21 PM
Hello together,
i hope you are able to help me. i have a little problem.
In our system are many users are locked. So i have unlocked the user. the first point is that i cant find any change document who has locked the users. so where can i found something about that. MAny users of them are not locked at morning.
THe second problem is, that i see now in the change documents that i have unlocked the users and set a new password. I dont set a new password.
i dont know what here is happening but i hope you can help me.
please tell me if you need some more informations.
SAP ECC 6.0
11-22-2009 11:30 AM
Are you using CUA for user administration?? Have you unlocked these users from CUA??
11-22-2009 10:54 AM
What is the value of your parameter login/failed_user_auto_unlock in the system?
Cheers,
Julius
11-22-2009 11:06 AM
Hello,
the parameter is 0.
I dont think that some parameter are the problem, because they are in all system the same.
i dont know what the problem is.
11-22-2009 11:30 AM
Are you using CUA for user administration?? Have you unlocked these users from CUA??
11-23-2009 9:27 AM
1. We can locked the all the users in centrally (Global Lock) using SU01.
2. Using SU10 to lock the mass users ID in system.
3. Recently any system upgrade happened?( Basis Team centrally locked the users )
4. System Refresh or System Copy happened? (Basis Team centrally locked the users).
11-23-2009 10:07 AM
Good ponits.. the plot thinkens
Another possibility, particularly if change documents are missing... is a custom program.
In SE11 select USR02 and do a where-used-list lookup on it. Keep an eye on any programs in the Z* and Y* range with the name "LOCK" in it somewhere, and whether it is touching field UFLAG (e.g. MODIFY OR UPDATE statements, etc).
Cheers,
Julius
07-24-2015 3:40 PM
HI Julius,
Though this is an old post, i have a question related to your above comment. If a custom program is indeed being used to lock users (which is the case at our client), how do we track those changes? Those dont come up in change docs in suim or DBTABLOG. Do you think the Change Documents service is not being called in the custom program which call tables CDHDR and CDPOS? I am trying to understand does SAP support change log if users are locked via a custom program? if not, then it is a huge audit risk.
Thanks
SV
11-23-2009 10:41 AM
Hello,
did you check the USH02 tabele directly for change log entries or only by SUIM?
I strongly recommend to check the table content directly in this case to proof, if the lock-chg.-documents are really missing or if there is a problem in SUIM.
Regarding the password change entry when unlocking a user: please have a look at SAP note #1402852. As the structure of ush02 has been changed, such strange records appear at the first change of a user after upgrading a system....
b.rgds, Bernhard
07-24-2015 5:59 PM
RFC connections could be the issue and those usernames are used in RFC when they rest the password it will attempt to use existing password if its not updated in the RFC destination.
Please close the thread since its a very old one
07-27-2015 3:57 PM
HI Guys,
Though this is an old post, i have a question related to your above comments. If a custom program is indeed being used to lock users (which is the case at our client), how do we track those changes? Those dont come up in change docs in suim or DBTABLOG. Do you think the Change Documents service is not being called in the custom program which call tables CDHDR and CDPOS? I am trying to understand does SAP support change log if users are locked via a custom program? if not, then it is a huge audit risk.
Thanks
Sandesh
07-28-2015 2:13 PM
I'd have someone review the code and look at what it does. It is manually updating UFLAG with a specific value (not 128, 64, etc) or is it calling a function module
If the code is hitting the database directly and not writing logs or change docs then that is an audit/tracking issue
SAP would "support" it is the custom code catered for it.
Regards
Colleen