Solved: ECC is not prompting for password change for some ...

Former Member · ‎05-03-2015

Dear Experts,

I found a strange behaviour in our ECC 6 system (BASIS release 702). System is not prompting for password change after password expiration time and this is happending for few users. So far five users have reported this behaviour. Users are happy indeed for this

We have parameter login/password_expiration_time = 30.

These users are even not able to change their password themselves. When they are trying to change their password using "New Password" button in login screen, system is giving message as "you can change your password only once a day". Even though user did not change password in that day at all.

Initially I though there may be any parameter where users' id maintained to exclude password policy, but seems there is no paramter like this in ECC6.

Your help will be appreciated to find out reason for this strange behaviour.

Regards

Aktar

Former Member · ‎05-03-2015


Aktar Ali wrote:

When they are trying to change their password using "New Password" button in login screen, system is giving message as "you can change your password only once a day".

The only logical explanation for this is that some program is resetting the "last changed date" of the password to the current date for these users. That cannot be a standard SAP program.

1) Check via SE11 -> table USR02 -> where-used-list for Z-programs which perform direct update statements on the table. Particularly fields DCDA1 and PWDCHGDATE.

2) Check in SM37 whether jobs running in the early hours of the morning each day are described as being something security or password related. The job could also be a in a different client and updating client specified!

3) Contact the DB admin and ask about any scripts running which update the above table.

Cheers,

Julius

Sriram2009 · ‎05-03-2015

Hi Aktar

Is this ECC system integrate with Windows AD or other system?

BR

SS

Former Member · ‎05-03-2015

Dear SS,

No, there is no integration. User ID is created simply using SU01 and user logges in using sap gui.

Thx

Aktar

Sriram2009 · ‎05-03-2015

Hi Aktar

Thanks for your information,

1. On your ECC system how many Dilalog instance are connected? have you update the passport policy parameters in CI & all DI systems?

2. Could you share your ECC system version & kernel details?

BR

SS

Former Member · ‎05-03-2015

Dear SS,

Thanks for your effort and time.

Yes, password parameters are applied in all the instances and it is working fine for most of the users.

Below is the requested details.

Thanks

Aktar

Private_Member_69416 · ‎05-03-2015

Hi

Don't you use SERVICE user type?

Regards

Przemek

Former Member · ‎05-03-2015


Aktar Ali wrote:

When they are trying to change their password using "New Password" button in login screen, system is giving message as "you can change your password only once a day".

The only logical explanation for this is that some program is resetting the "last changed date" of the password to the current date for these users. That cannot be a standard SAP program.

1) Check via SE11 -> table USR02 -> where-used-list for Z-programs which perform direct update statements on the table. Particularly fields DCDA1 and PWDCHGDATE.

2) Check in SM37 whether jobs running in the early hours of the morning each day are described as being something security or password related. The job could also be a in a different client and updating client specified!

3) Contact the DB admin and ask about any scripts running which update the above table.

Cheers,

Julius

ECC is not prompting for password change for some users