02-05-2013 9:34 AM
We have a system whereby user-accounts are automatically created from Active Directory to SAP. As these users are normally only used for acces from a portal the password should be de-activated. We need to do this from the CUA-system as password changes are not allowed on the child-system.
When a new user is created the password is of course always initial but Is there a way to automatically deactivate the password directly after an account is created ?
Thanks for any suggestions.
02-06-2013 9:08 AM
Hi Thom,
Could the parameter login/disable_password_logon help you? Then the password is deactivated for all users in the system.
Kind regards
Maaike
02-06-2013 2:54 PM
Hi Thom,
You can also consider decreasing the lifespan of the initial password (login/password_max_new_valid). With unknown initial passwords which expire before the user is notified there shouldn't be a big security risk.
Jurjen
02-11-2013 7:55 AM
Hi Jurjen,
It is not enough to disable the password, you have to actively set the password to "deactivated".
These users come from an HR-portal where their identity is verified via ldap but connect to backend-system to get the relevant HR-data per user. To prevent them getting a logon-screen when connecting the password needs to be deactivated (which is something else than disabled). As the users are automatically created on a CUA-system we need to add a step somewhere to do this deactivation. Hope this clarifies my question.
02-07-2013 9:29 AM
Do you use the standard LDAP syncronization to copy users from LDAP to the CUA central system?
- Transaction LDAP to configure the connection
- Report RSLDAPSYNC_USER to synchronize users according to LDAP
Currently I do not have access to a test system to verify it personally, but I guess that you can configure the password creation rule 'no password' in the settings somehow. Please check the attribute mappings in transaction LDAP.
Kind regards
Frank