topic Re: Disable Initial Password Reset. in Application Development and Automation Discussions

Disable Initial Password Reset.

Former Member — Thu, 12 Jul 2007 13:53:34 GMT

Hello;

Is it possible to set that the user do not change the initial password

when created or even if the SAP Administrator reset it, the first time

the user log on the system.

Thanks;

Ali Gumusoglu

Re: Disable Initial Password Reset.

Former Member — Thu, 12 Jul 2007 14:02:11 GMT

I don't believe this is possible with a dialog user without modifying the SAP logon procedure code (possible but can be problematic).

More importantly, what would you want to do this? The change initial password is a good password control.

Re: Disable Initial Password Reset.

Former Member — Thu, 12 Jul 2007 17:03:07 GMT

Hi;

We would like to use client based SSO in our company. This SSO application is client based so we could' t use SSO profile parameters. I asked this question may be there is another relevant profile parameters.

Thanks;

Re: Disable Initial Password Reset.

Former Member — Fri, 13 Jul 2007 04:53:30 GMT

Hi Ali,

Yes, it is possible; for that follow below steps:

1.Start the Config Tool C:\usr\sap\<SID>\<engine-instance>\j2ee\configtool\configtool.bat

Ex: D:\usr\sap\F02\JC00\j2ee\configtool --> configtool.bat

2.Goto cluster-data --> Global server configuration --> services --> com.sap.security.core.ume.service

3.Click on below property and set value is FALSE and click and "SET" button.

"ume.logon.security_policy.password_change_required = FALSE"

4.Save.

5. Restart the engine.

Now

1. Login with an "Administrator"

2. Create a user and define a password like "init123"

3. logoff from "administrator"

4. login with new user; password is "init123"

now system will not ask to change password.

Reward Points; if it is usefull.

Thanks,

Nagaraju Parlapalli

Re: Disable Initial Password Reset.

Former Member — Fri, 13 Jul 2007 05:38:38 GMT

Hi Nagaraju ;

Our user connects to SAP R/3 over SAP GUI. We don't use java tools.

Our platform is;

OS: HP-UX 11.11

SAP 4.7 WAS

Oracle 9

Thanks.

Re: Disable Initial Password Reset.

Former Member — Fri, 13 Jul 2007 06:50:07 GMT

Hi Ali,

Check for the parameter "login/password_change_for_SSO".

I think by setting value 3 with this parameter we can make, deactivation of password..

Read the documentation of this parameter..

Reg'

Zeemaaa..

Re: Disable Initial Password Reset.

Former Member — Fri, 13 Jul 2007 07:25:26 GMT

The client based SSO makes it a bit more difficult.

Last time I saw a situation like yours the answer was to modify the standard login program SAPMSYST to bypass the forced reset. If I remember correctly (it was a while ago) it was not straightforward as that program has protected source code. There is also the impact of support packs or general upgrades to consider if standard SAP is modified.

Good luck!

Re: Disable Initial Password Reset.

Wolfgang_Janzen — Sun, 15 Jul 2007 17:42:24 GMT

Just for your information: the routines to validate the logon data and to control the requirement / ability to change passwords are implemented in the kernel; SAPMSYST only implements the SAPGUI logon UIs.

But anyway: most likely <a href="https://service.sap.com/sap/support/notes/869218">SAP Note 869218</a> will provide the answer to Ali's question.

Cheers, Wolfgang

PS: any modification to the system program SAPMSYST will (with a very high likelyhood) result in (severe) problems - that's why it is protected (to prevent you from steping into trouble).

Re: Disable Initial Password Reset.

Former Member — Sun, 15 Jul 2007 21:09:44 GMT

I'm pretty sure (though not 100%) that the mods that were required to bypass the password prompt were only done in SAPMSYST - this was in 4.6A, either way I agree it's not something that should be taken lightly. The only situation where there is a high potential for severe problems is if insufficient time is taken to research the impact of the changes and test them properly.

Re: Disable Initial Password Reset.

Former Member — Thu, 19 Jul 2007 11:23:12 GMT

As Wolfgang already said it's absolutely sure (=100%) that you cannot bypass it with any ABAP modification

Re: Disable Initial Password Reset.

Matt_Fraser — Sun, 29 Jul 2007 21:44:16 GMT

It is possible to bypass the initial password change requirement by setting the users to be of type SERVICE instead of DIALOG. However, there's a cost to this: SERVICE users cannot change their own passwords. It has to be done for them by system administrators. So, you would have to weigh the consequences of doing something like this against the perceived benefit.

--Matt

Re: Disable Initial Password Reset.

Wolfgang_Janzen — Mon, 30 Jul 2007 07:46:55 GMT

Not only this - SERVICE users are also not subject of the "idle password usage" control (-> login/password_max_idle_productive - see <a href="https://service.sap.com/sap/support/notes/862989">SAP Note 862989</a>) and the system will not create SAP Logon Tickets for SERVICE users (see <a href="https://service.sap.com/sap/support/notes/622464">SAP Note 622464</a>.

Re: Disable Initial Password Reset.

azmanhamid — Wed, 04 Jun 2014 08:04:03 GMT

On 7.4, The closest parameter available is ume.logon.security_policy.password_change_allowed

Re: Disable Initial Password Reset.

Former Member — Tue, 04 Jun 2019 23:28:01 GMT

Hi Ali ,

Tell me the procedure if your problem was resolved.