Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Where can I set password security policies and unlock a user?

Former Member

‎02-13-2008 4:20 PM

0 Kudos

Hello,

where can I set the password security policies for the whole system/client. I know RZ10 and I changed the password policy setting. Nevertheless it does not work.

Furthermore I would like to know how to unlock a specific user? The message is: Password logon not allowed (too many failed logons).

Thank you!

Marcus

9 REPLIES 9

Former Member

‎02-13-2008 4:31 PM

0 Kudos

rz10. some parameters only work for releases > NW640. check service.sap.com/notes for details on which those are.

in tx. SU01 you can initialize the password and unlock the users. in case of a CUA make sure you take this action in the CUA master.

Former Member

‎02-13-2008 4:36 PM

0 Kudos

>

> Hello,

>

> where can I set the password security policies for the whole system/client. I know RZ10 and I changed the password policy setting. Nevertheless it does not work.

Did you restart the system? This is required for the password relevant profile params

You also need to maintain the settings in the DEFAULT profile and check that the App Servers don't have conflicting values.

If in doubt speak to your Basis team about it

> Furthermore I would like to know how to unlock a specific user? The message is: Password logon not allowed (too many failed logons).

Transaction SU01 will let you do this

Former Member
In response to Former Member

‎02-13-2008 4:42 PM

0 Kudos

Transaction SU01 does not work. I can unlock the user, but the message 'Password logon not allowed (too many failed logons)' is still displayed!?

Former Member
In response to Former Member

‎02-13-2008 4:49 PM

0 Kudos

are you using a CUA? does this error appear in the master or in the child-system then?

what is your release?

are you using VIRSA?

Former Member
In response to Former Member

‎02-13-2008 4:52 PM

0 Kudos

No, I am using the standard SAP Discovery Server. No CUA. Standard standalone SAP ERP System ERP6.0

Former Member
In response to Former Member

‎02-13-2008 4:58 PM

0 Kudos

Yes, it sounds like the user is a CUA child user, but I have some doubts about this preventing a (local) password lock to be reset, or that VIRSA could interfer with SU01.

Try to use report RSUSR200 to display the users with password locks (like this one), then double click the user name (transaction SU01_NAV) and try to unlock it from there. Does that work? Also try to switch to change mode, and reset the password on the logondata tab. Does that work?

Cheers,

Julius

Former Member
In response to Former Member

‎02-13-2008 5:10 PM

0 Kudos

>

> Yes, it sounds like the user is a CUA child user, but I have some doubts about this preventing a (local) password lock to be reset, or that VIRSA could interfer with SU01.

Virsa & SAP GRC products can interfere with many things!

Former Member
In response to Former Member

‎02-13-2008 5:26 PM

0 Kudos

Which security parameters did you change? Did this only happen after you had changed them (although you mention that they did not (all) appear to take affect).

If there is some other authentication mechanism used (or had been used in the past), then the password might be deactivated.

What is the reason for the lock status of these users (post an example of the values of fields LOCNT, UFLAG, CODVN and ZBV(not sure exactly, but it is at the end of the table) in table USR02 for such a user).

Cheers,

Julius

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎02-13-2008 8:57 PM

0 Kudos

>

> I know RZ10 and I changed the password policy setting. Nevertheless it does not work.

Please notice that you have to restart the ABAP system in order to make the change effective. Another reason could be: you might have forgotten to "activate" the change after you have "saved" it - in RZ10.

You can run ABAP report RSPARAM to display the current (= effective) value of all profile parameters.

>

> Furthermore I would like to know how to unlock a specific user? The message is: Password logon not allowed (too many failed logons).

That error message (E 00 200) indicates that the "password lock" was set - after the maximum number of permissible failed password logon attempts was exceeded (to prevent brute force / dictionary attacks). That lock can be removed using transaction SU01 (or BAPI_USER_UNLOCK).

If your ABAP system is of release 6.10 / 6.20 / 6.40 / 7.00 you might experience strange effects caused by the fact that the user master record table (USR02) is buffered. If you have more than one ABAP server instance and if you've called transaction SU01 on a different server instance than the subsequent logon attempt (performed by the effected user, a short time period afterwards) then the table buffer synchronization (which takes some time) might show that negative effect. In such cases I'd suggest to deactivate the table buffering (for table USR02). As of 7.10 the table buffering (for USR02) is switched off.