chusr Command—Modify Windows Users

selang Reference Guide › selang Commands › selang Commands in the Native Windows Environment › chusr Command—Modify Windows Users

chusr Command—Modify Windows Users

Valid in the native Windows environment

Use the chgusr, editusr, and newusr commands to work with Windows users. These commands are identical in structure and only vary in the following way:

The chusr command modifies one or more Windows users.
The editusr command creates or modifies one or more Windows users.
The newusr command creates one or more Windows users.

Note: This command also exists in the AC environment but operates differently.

This command has the following format:

{{chusr|cu}|{editusr|eu}|{newusr|nu}} userName \

[comment(string)|comment‑] \
[country(string)] \
[expire|expire(mm/dd/yy[@hh:mm])|expire‑] \
[flags{(accountFlags)|‑(accountFlags)}] \
[full_name(fullName)] \
[homedir(homeDir)] \
[homedrive(homeDrive)] \
[location(string)] \
[logonserver(serverName)] \
[organization(name)] \
[org_unit(name)] \
[password(password)] \
[pgroup(primaryGroup)] \
[phone(string)] \
[privileges(privList)] \
[profile(path)] \
[restrictions( \

days({[mon] [tue] [wed] [thu] [fri] [sat] [sun]}|anyday|weekdays) \
time(startTime:endTime|anytime))]\

[restrictions‑] \
[resume[(date)]|resume‑} \
[script(logonScriptPath)] \
[suspend[(date)] | suspend‑] \
[terminals(terminalList)|terminals‑(terminalList)] \
[workstations(workstationList)|workstations‑(workstationList)|workstations-]

comment(string)|comment-

Assigns a comment string to the user record.

The argument is an alphanumeric string of up to 255 characters. If the string contains any blanks, enclose the entire string in single quotation marks.

country(string)

Specifies the country where the user is located. This string is not used during the authorization process.

The argument is an alphanumeric string of up to 19 characters. If the string contains any blanks, enclose the entire string in single quotation marks.

expire|expire(mm/dd/yy[@hh:mm) | expire‑

Sets the date on which the user's account expires. If a date is not specified, the user account expires immediately, provided the user is not currently logged in. If the user is logged in, the account expires when the user logs out.

expire‑ with the newusr command defines a user account that does not have an expiration date. For the chusr and editusr commands, it removes an expiration date from the specified user account.

The date argument takes the format: mm/dd/yy [@hh:mm].

flags(accountFlags|- accountFlags)

Specifies particular attributes of a user's account. See the appendix “Windows Values” for a list of valid flag values.

To remove flags from the user record, precede accountFlags with a minus (-).

full_name(fullName)

Specifies the full name of the user associated with the user record.

The argument is an alphanumeric string of up to 256 characters. If the string contains any blanks, enclose the entire string in single quotation marks.

gecos(string)

Specifies a comment string for the user, such as the user's full name. Enclose the string in single quotation marks.

homedir(homeDir)

Specifies the user's home directory. Users log in automatically to their own home drives and home directories.

homedrive(homeDrive)

Specifies the drive of the user's home directory. Users log in automatically to their own home drives and home directories.

location(string)

Specifies the user's location. This string is not used during the authorization process.

The argument is an alphanumeric string of up to 19 characters. If the string contains any blanks, enclose the entire string in single quotation marks.

logonserver(serverName)

Specifies the server that verifies the login information for the user. When the user logs in to the domain workstation, CA ControlMinder transfers the login information to the server, which gives the workstation permission for the user to work.

organization(name)

Specifies the organization in which the user works. This information is not used during the authorization process.

The argument is an alphanumeric string of up to 256 characters. If the string contains any blanks, enclose the entire string in single quotation marks.

org_unit(name)

Specifies the organizational unit in which the user works. This information is not used during the authorization process.

The argument is an alphanumeric string of up to 256 characters. If the string contains any blanks, enclose the entire string in single quotation marks.

password(password)

Assigns a password to a user. If password checking is enabled, the password is valid for one login only. When the user next logs in to the system, a new password must be set.

The argument is a string of up to 14 characters, and cannot include either a space or a comma. If password checking is enabled, the password is valid for one login only. When the user next logs in to the system, the user must set a new password, unless you set the flag for “Password Never Expires”.

To change your own password, you need to set selang options using setoptions cng_ownpwd or use sepass.

If you are setting passwords for users on Windows NT systems, the following message may appear:

The password is shorter than required.

This error means that the password does not meet the policy requirements. This is caused by any of the following:

The password is shorter or longer than the required length.
The password has been used recently and exists in the Windows NT Change History field.
The password does not have enough unique characters.
The password does not meet other password policy requirements (such as those set with CA ControlMinder password policies).

To avoid this error, make sure you set a password which meets all applicable requirements.

pgroup(primaryGroup)

Sets the user's primary group ID. A primary group is one of the groups in which a user is defined and must be a Global group.

The argument is a string of up to 14 characters, and cannot include either a space or a comma.

phone(string)

Specifies the user's phone number. This information is not used during the authorization process.

privileges(privList)

Adds specific rights to the Windows user record or, when privList is preceded by a minus sign (-), removes the specified rights. You can specify this parameter only with the chusr or editusr command, and only when you are changing an existing user record. You cannot use it to assign privileges when you are creating a new user record.

profile(path)

Specifies the full path location of the file that contains a user's profile for the Desktop environment (program groups, network connections). Every time the user logs in to any workstation, the same environment appears on the screen.

restrictions([days] [time])|restrictions‑([days] [time])

Specifies the days of the week and the hours in the day when users may access the file.

If you omit the days argument and specify the time argument, the time restriction applies to any day‑of‑week restriction already indicated in the record. If you omit time and specify days, the day restriction applies to any time restriction already indicated in the record. If you specify both days and time, the users may access the system only during the specified time period on the specified days.

[Days] specifies the days on which users may access the file. The days argument takes the following sub‑arguments:
- anyday-Allow users access to the file on any day.
weekdays-Allow users access to the resource only on weekdays-Monday through Friday.
- Mon, Tue, Wed, Thu, Fri, Sat, Sun-Allow users access to the resource only on the specified days. You can specify the days in any order. If you specify more than one day, separate the days with a space or a comma.
[Time] specifies the period during which users may access the resource. The time argument takes the following sub‑arguments:
- anytime-Allow users access to the resource at any time of the day.
- startTime:endTime-Allow access to the resource only during the specified period. The format of both startTime and endTime is hhmm, where hh is the hour in 24‑hour notation (00 through 23) and mm is the minutes (00 through 59). Note that 2400 is not a valid time value. startTime must be less than endTime, and both times must occur on the same day. If the terminal is in a different time zone from the processor, adjust the time values by translating the start and end times for the terminal to the equivalent local times for the processor. For example, if the processor is in New York and the terminal is in Los Angeles, to allow access to the terminal from 8:00 a.m. to 5:00 p.m. in Los Angeles, specify time (1100:2000).

resume(date)|resume‑

The date, and optionally time, at which Windows will reinstate the user account. If you specify both the suspend parameter and the resume parameter, make sure the resume date falls after the suspend date or the user will stay suspended indefinitely.

Enter a date, and optional time, in the following format:

mm/dd/yy[@HH:MM]

Use resume- parameter to change the status of the user account from active (enabled) to suspended. Use this parameter with the chusr or editusr commands only.

script(loginScriptPath)

Specifies the location of a file that runs automatically when the user logs in. This login script configures the working environment. This parameter is optional, since the profile parameter also sets up the user's working environment.

suspend(date)|suspend‑

Disables a user account. A user cannot use a suspended user account to log in to the system. If you specify date, Windows suspends the user account on the specified date. If you omit a date, Windows suspends the user account immediately upon execution of the chusr command.

Enter a date, and optional time, in the following format: mm/dd/yy[@HH:MM].

Use the suspend‑ parameter to change the status of the user account from disabled to active (enabled). Use this parameter with the chusr or editusr commands only.

terminals(terminalList)|terminals‑(terminalList)

Specifies up to eight terminals from which the user can log in. Surround the list with quotation marks, and separate the names with commas. For example:

“terminal1,terminal2”

workstations(workstationList)|workstations-(workstationList)|workstations-

Specifies up to eight workstations from which the user can log in. Surround the list with quotation marks, and separate the names with commas. For example:

“workstation1,workstation2”