Summary: ALthough AIX is by now on version 7.3 I find these old pages so fascinating I decided to keep them. On this page I'll show you to manage users on AIX. This page is for AIX 5.3 and AIX 6.1.
Date: Between 2010-2013
Refactor: 21 December 2024: Checked formatting.

When working on the AIX LDAP authentication on eDirectory project we came to a point where there was also need for local users to which we could su. This proved a little problematic because of the su configuration on AIX. I did manage to solve the problem and the need for this page was born, I needed a place to store my new information about AIX User Management.

According to this IBM Document users who are a LDAP user cannot su to a local user due to the group membership. The fix is pretty simple, use smitty to set the “SU GROUPS” attribute to ALL:

• sudo smitty users
  • Change / Show Characteristics of a User
  • Select the local user
  • Set the “SU GROUPS” attribute to “ALL”. You can't select this option, you'll have to type it.

Due to our security policies on AIX boxes new users are created without the possibility to su to the user, with the issue above in mind that's not what we want.

• sudo smitty users
  • Change / Show Characteristics of a User
  • Select the local user
  • Set the “Another user can SU TO USER?” to “true”.

When this message is received you'll have to reset the account:

3004-303 There have been too many unsuccessful login attempts; please see
        the system administrator.

Procedure to reset the account:

chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s <username>
chuser "account_locked=false" <username>

Chsec is the command needed to change an user's security attributes. I tried to do this with my own user account, using sudo but then I received this error:

Error committing changes to "<username>".

The solution was to issue the command as root, so I first had to SU to root and then the command succeeded.

This might be solved with AIX 6.1 when ROLES have LDAP integration:

The AIX 5L Security Expert was introduced with Technology Level 5 of AIX V5.3 OS, it provides clients with the capability to manage more than 300 system security settings from a single interface and the ability to export and import those security settings between systems. In AIX V6.1 OS it includes an enhancement to store security templates in a Lightweight Directory Protocol (LDAP) directory for use across a client's enterprise to help centralize its administration.

If you've changed a password for a local user and you don't want to force to change the password again clear the 'ADMCHG' flag of the user account:

aixbox:/>sudo passwd user-2
Changing password for "user-2"
user-2's New password:
Re-enter user-2's new password:
aixbox:/>sudo pwdadm -c user-2
aixbox:/>

This is an example to create a user using variables and setting different user attributes:

mkuser id="${_userid}" pgrp="${_groupname}" groups="${_groupname},users" \
home="$(userhome "${_teller}")" shell='/bin/bash' gecos="User (Number ${_teller})" \
umask='002' rlogin='false' sugroups='ALL' su='true' loginretries='10' maxage='0' \
maxrepeats='8' minlen='5' minother='1' maxexpired='-1' minalpha='3' minage='0' \
histsize='0' histexpire='0' "${_username}"

Although there is no out of the box way to import account details into Excel there is an easy way. It consists of these steps:

1. Query for the data
2. Copy the output into a text editor
3. Replace delimiter by a comma
4. Import the text file with excel

Determine the data you need. For me it's the name of the user, some account information and the User information. The last attribute is a bit tricky. It's not a required field and can be empty, so be sure to request the attribute as the last attribute:

lsuser -c -a account_locked login rlogin gecos ALL | grep '^[a-z]'

This will give you output to the screen which you can copy to a text editor which can replace the delimiter ':' with the delimiter ','. Save the file with the extension '.csv' and open the file with excel. Save the new file as a normal excel file.