UAFHELP.HLB  —  ADD  Qualifiers  /FLAGS
       /FLAGS=([NO]option[,...])

    Specifies login flags for the user. The prefix NO clears the
    flag. The options are as follows:

    AUDIT        Enables or disables mandatory security auditing for
                 a specific user. By default, the system does not
                 audit the activities of specific users (NOAUDIT).

    AUTOLOGIN    Restricts the user to the automatic login mechanism
                 when logging in to an account. When set, the flag
                 disables login by any terminal that requires entry
                 of a user name and password. The default is to
                 require a user name and password (NOAUTOLOGIN).

    CAPTIVE      Prevents the user from changing any defaults at
                 login, for example, /CLI or /LGICMD. It prevents
                 the user from escaping the captive login command
                 procedure specified by the /LGICMD qualifier
                 and gaining access to the DCL command level. See
                 "Guidelines for Captive Command Procedures" in the
                 VSI OpenVMS Guide to System Security.

                 The CAPTIVE flag also establishes an environment
                 where Ctrl/Y interrupts are initially turned off;
                 however, command procedures can still turn on Ctrl/Y
                 interrupts with the DCL command SET CONTROL=Y. By
                 default, an account is not captive (NOCAPTIVE).

    DEFCLI       Restricts the user to the default command
                 interpreter by prohibiting the use of the /CLI
                 qualifier at login. By default, a user can choose
                 a CLI (NODEFCLI).

    DISCTLY      Establishes an environment where Ctrl/Y interrupts
                 are initially turned off and are invalid until a
                 SET CONTROL=Y is encountered. This could happen in
                 SYLOGIN.COM or in a procedure called by SYLOGIN.COM.
                 Once a SET CONTROL=Y is executed (which requires
                 no privilege), a user can enter a Ctrl/Y and reach
                 the DCL prompt ($).  If the intent of DISCTLY is
                 to force execution of the login command files,
                 then SYLOGIN.COM should issue the DCL command
                 SET CONTROL=Y to turn on Ctrl/Y interrupts before
                 exiting. By default, Ctrl/Y is enabled (NODISCTLY).

    DISFORCE_    Removes the requirement that a user must change an
    PWD_CHANGE   expired password at login. By default, a person can
                 use an expired password only once (NODISFORCE_PWD_
                 CHANGE) and then is forced to change the password
                 after logging in. If the user does not select a new
                 password, the user is locked out of the system.

                 To use this feature, set a password expiration date
                 with the /PWDLIFETIME qualifier.

    DISIMAGE     Prevents the user from executing RUN and foreign
                 commands. By default, a user can execute RUN and
                 foreign commands (NODISIMAGE).

    DISMAIL      Disables mail delivery to the user. By default, mail
                 delivery is enabled (NODISMAIL).

    DISNEWMAIL   Suppresses announcements of new mail at login.
                 By default, the system announces new mail
                 (NODISNEWMAIL).

    DISPWDDIC    Disables automatic screening of new passwords
                 against a system dictionary. By default, passwords
                 are automatically screened (NODISPWDDIC).

    DISPWDHIS    Disables automatic checking of new passwords against
                 a list of the user's old passwords. By default, the
                 system screens new passwords (NODISPWDHIS).

    DISPWDSYNCH  Suppresses synchronization of the external password
                 for this account. See bit 9 in the SECURITY_
                 POLICY system parameter for systemwide password
                 synchronization control.

    DISRECONNECT Disables automatic reconnection to an existing
                 process when a terminal connection has been
                 interrupted. By default, automatic reconnection
                 is enabled (NODISRECONNECT).

    DISREPORT    Suppresses reports of the last login time, login
                 failures, and other security reports. By default,
                 login information is displayed (NODISREPORT).

    DISUSER      Disables the account so the user cannot log in.
                 For example, the DEFAULT account is disabled. By
                 default, an account is enabled (NODISUSER).

    DISWELCOME   Suppresses the welcome message (an informational
                 message displayed during a local login). This
                 message usually indicates the version number of
                 the operating system that is running and the name of
                 the node on which the user is logged in. By default,
                 a system login message appears (NODISWELCOME).

    EXTAUTH      Considers user to be authenticated by an external
                 user name and password, not by the SYSUAF user name
                 and password. (The system still uses the SYSUAF
                 record to check a user's login restrictions and
                 quotas and to create the user's process profile.)

    GENPWD       Restricts the user to generated passwords.
                 By default, users choose their own passwords
                 (NOGENPWD).

    LOCKPWD      Prevents the user from changing the password for
                 the account. By default, users can change their
                 passwords (NOLOCKPWD).

    PWD_EXPIRED  Marks a password as expired. The user cannot log in
                 if this flag is set. The LOGINOUT.EXE image sets the
                 flag when both of the following conditions exist: a
                 user logs in with the DISFORCE_PWD_CHANGE flag set,
                 and the user's password expires. A system manager
                 can clear this flag. By default, passwords are not
                 expired after login (NOPWD_EXPIRED).

    PWD2_        Marks a secondary password as expired. Users cannot
    EXPIRED      log in if this flag is set. The LOGINOUT.EXE image
                 sets the flag when both of the following conditions
                 exist: a user logs in with the DISFORCE_PWD_CHANGE
                 flag set, and the user's password expires. A system
                 manager can clear this flag. By default, passwords
                 are not set to expire after login (NOPWD2_EXPIRED).

    PWDMIX       Enables case-sensitive and extended-character
                 passwords.

                 After PWDMIX is specified, you can then use mixed-
                 case and extended characters in passwords. Be aware
                 that before the PWDMIX flag is enabled, the system
                 stores passwords in all upper-case. Therefore, until
                 you change passwords, you must enter your pre-PWDMIX
                 passwords in upper-case.

                 To change the password after PWDMIX is enabled:

                 o  You (the user) can use the DCL command SET
                    PASSWORD, specifying the new mixed-case password
                    (omitting quotation marks).

                 o  You (the system manager) can use the AUTHORIZE
                    command MODIFY/PASSWORD, and enclose the user's
                    new mixed-case password in quotation marks " ".

    RESTRICTED   Prevents the user from changing any defaults at
                 login (for example, by specifying /LGICMD) and
                 prohibits user specification of a CLI with the
                 /CLI qualifier. The RESTRICTED flag establishes
                 an environment where Ctrl/Y interrupts are initially
                 turned off; however, command procedures can still
                 turn on Ctrl/Y interrupts with the DCL command SET
                 CONTROL=Y. Typically, this flag is used to prevent
                 an applications user from having unrestricted access
                 to the CLI. By default, a user can change defaults
                 (NORESTRICTED).

    VMSAUTH      Allows account to use standard (SYSUAF)
                 authentication when the EXTAUTH flag would otherwise
                 require external authentication. This depends on the
                 application. An application specifies the VMS domain
                 of interpretation when calling SYS$ACM to request
                 standard VMS authentication for a user account that
                 normally uses external authentication.
Close Help