cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

none of the system accounts are usable.

laurie_mcginley
Participant

on ‎03-10-2010 9:09 PM

0 Kudos

We have a client in our test system where the ddic account password has been forgotten. In addition, the other user admin account is locked due to also forgetting their password. As was SAP*.

So, I used the option to delete the sap* from the usr02 table, and set the parm in the instance profile to allow the hard coded sap* account.

I can now login using the sap*, but it has no authorization to unlock those locked accounts, or reset passwords, or create an account.

We are now at a point where we do not have admin access to that client to address the issue. Is there something I'm missing? Why does the sap* not have auth to unlock or reset passwords? This is all I'd need to get one of the admin accounts back so we can then address the other locked accounts.

Your suggestions?

Thanks

Laurie McGinley

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎03-11-2010 2:54 PM
0 Kudos

Hello Laurie,

You should be able to create new users using SAP* user. I think user master data of SAP* was created in the client. I am not suere whether user master data is deleted or not inspite of the fact that you have deleted the user from "usr02".

Try to go at DB level and delete 'SAP*" from there. And at OS level open your instance profile and check for "login/ no_automatic_user_sapstar" is set to "0" or not and there might be a case that this parameter is not present at os level as happened with me. In this case at the parameter manually and restart the instance again. As this is not a dynamic parameter.

I hope this should help you out. I will try to find out the other solutions.

Cheers...

Show replies
Show replies
laurie_mcginley
Participant
‎03-11-2010 3:19 PM
0 Kudos

Thank-you for your responses.

This is a ECC5 system. It is the QA system, the client is our 110 client.

We are using CUA on our Solution Manager to manage most clients user access. the QA:110 client is one of the systems defined to CUA.

I used the procedure to delete the sap* from the database table usr02 and set the login/no_automatic_user_sapstar = 0 then restarted the QA system.

I can use sap* to log in, but many options, such as create accounts, change passwords, are grayed out.

I've also tried the option to reset the lock flag to 0. The problem is, no one remembers their password!

I'm beginning to wonder if there isn't something associated with the CUA that is causing the sap* not to have all the access needed.

There seems to be somehting odd with that system in the CUA as we can add users, but cannot add roles to users. No roles are presented from the select list for that system. Which is odd, because they do exist in the system.

Again, this is now a rarely used client. I'm wondering if something with the CUA was changed/broken for that client, but since it isn't used we didn't pick up on it. And that is causing the issue with the hard coded sap*.

Thanks again for your input so far. Still searching for an answer.

Laurie

JPReyes
Active Contributor
‎03-11-2010 3:33 PM
0 Kudos

If this is a CUA child why don't you reset and unlock the users from CUA?...

If you can't check to see if you have access to SCUM and set all fields to local and reset the passwords

Regards

Juan

laurie_mcginley
Participant
‎03-11-2010 4:02 PM
0 Kudos

Good morning Juan,

We did try to reset / unlock from CUA. It acts like it did reset or unlock them. But when we tried to connect to the client, we were still getting the locked or invalid password message. So it seems like something isn't quite right with cua and that client.

Thanks

JPReyes
Active Contributor
‎03-11-2010 4:13 PM
0 Kudos

As I said before use SAP* to change CUA setting in SCUM from global to local then go to SU01 and reset the passwords.

Regards

Juan

laurie_mcginley
Participant
‎03-26-2010 11:47 PM
0 Kudos

And the answer was....

Because the client is registered to the CUA, the SAP* on the client didn't have auth to reset passwords. The child model had to be deleted from the client. At which point the SAP* could then reset passwords.

Thanks for all your suggestions.

Laurie

JPReyes
Active Contributor
‎03-11-2010 9:53 AM
0 Kudos

If you know the password of any of the other users and you need to unlock all for certain clinet user use SQL command,

update sapr3.usr02 set uflag='0' where mandt='<client>';

Now, about the fact that SAP* does not have any authorizations Im trying to gather some info but seems like authorizations for SAP* where removed before user been locked if I found any info I'll let you know

Regards

Juan

Show replies
Show replies
Former Member
‎03-11-2010 3:29 AM
0 Kudos

Hi,

Can you let us know which system it is like IDES system or other system and in to which client you are logging in.

Regards,

Sharath

Show replies
Show replies
Ask a Question