/FLAGS=([NO]option[,...])
Specifies login flags for the user. The prefix NO clears the
flag. The options are as follows:
AUDIT Enables or disables mandatory security auditing for
a specific user. By default, the system does not
audit the activities of specific users (NOAUDIT).
AUTOLOGIN Restricts the user to the automatic login mechanism
when logging in to an account. When set, the flag
disables login by any terminal that requires entry
of a user name and password. The default is to
require a user name and password (NOAUTOLOGIN).
CAPTIVE Prevents the user from changing any defaults at
login, for example, /CLI or /LGICMD. It prevents
the user from escaping the captive login command
procedure specified by the /LGICMD qualifier
and gaining access to the DCL command level. See
"Guidelines for Captive Command Procedures" in the
HP OpenVMS Guide to System Security.
The CAPTIVE flag also establishes an environment
where Ctrl/Y interrupts are initially turned off;
however, command procedures can still turn on Ctrl/Y
interrupts with the DCL command SET CONTROL=Y. By
default, an account is not captive (NOCAPTIVE).
DEFCLI Restricts the user to the default command
interpreter by prohibiting the use of the /CLI
qualifier at login. By default, a user can choose
a CLI (NODEFCLI).
DISCTLY Establishes an environment where Ctrl/Y interrupts
are initially turned off and are invalid until a
SET CONTROL=Y is encountered. This could happen in
SYLOGIN.COM or in a procedure called by SYLOGIN.COM.
Once a SET CONTROL=Y is executed (which requires
no privilege), a user can enter a Ctrl/Y and reach
the DCL prompt ($). If the intent of DISCTLY is
to force execution of the login command files,
then SYLOGIN.COM should issue the DCL command
SET CONTROL=Y to turn on Ctrl/Y interrupts before
exiting. By default, Ctrl/Y is enabled (NODISCTLY).
DISFORCE_ Removes the requirement that a user must change an
PWD_CHANGE expired password at login. By default, a person can
use an expired password only once (NODISFORCE_PWD_
CHANGE) and then is forced to change the password
after logging in. If the user does not select a new
password, the user is locked out of the system.
To use this feature, set a password expiration date
with the /PWDLIFETIME qualifier.
DISIMAGE Prevents the user from executing RUN and foreign
commands. By default, a user can execute RUN and
foreign commands (NODISIMAGE).
DISMAIL Disables mail delivery to the user. By default, mail
delivery is enabled (NODISMAIL).
DISNEWMAIL Suppresses announcements of new mail at login.
By default, the system announces new mail
(NODISNEWMAIL).
DISPWDDIC Disables automatic screening of new passwords
against a system dictionary. By default, passwords
are automatically screened (NODISPWDDIC).
DISPWDHIS Disables automatic checking of new passwords against
a list of the user's old passwords. By default, the
system screens new passwords (NODISPWDHIS).
DISPWDSYNCH Suppresses synchronization of the external password
for this account. See bit 9 in the SECURITY_
POLICY system parameter for systemwide password
synchronization control.
DISRECONNECT Disables automatic reconnection to an existing
process when a terminal connection has been
interrupted. By default, automatic reconnection
is enabled (NODISRECONNECT).
DISREPORT Suppresses reports of the last login time, login
failures, and other security reports. By default,
login information is displayed (NODISREPORT).
DISUSER Disables the account so the user cannot log in.
For example, the DEFAULT account is disabled. By
default, an account is enabled (NODISUSER).
DISWELCOME Suppresses the welcome message (an informational
message displayed during a local login). This
message usually indicates the version number of
the operating system that is running and the name of
the node on which the user is logged in. By default,
a system login message appears (NODISWELCOME).
EXTAUTH Considers user to be authenticated by an external
user name and password, not by the SYSUAF user name
and password. (The system still uses the SYSUAF
record to check a user's login restrictions and
quotas and to create the user's process profile.)
GENPWD Restricts the user to generated passwords.
By default, users choose their own passwords
(NOGENPWD).
LOCKPWD Prevents the user from changing the password for
the account. By default, users can change their
passwords (NOLOCKPWD).
PWD_EXPIRED Marks a password as expired. The user cannot log in
if this flag is set. The LOGINOUT.EXE image sets the
flag when both of the following conditions exist: a
user logs in with the DISFORCE_PWD_CHANGE flag set,
and the user's password expires. A system manager
can clear this flag. By default, passwords are not
expired after login (NOPWD_EXPIRED).
PWD2_ Marks a secondary password as expired. Users cannot
EXPIRED log in if this flag is set. The LOGINOUT.EXE image
sets the flag when both of the following conditions
exist: a user logs in with the DISFORCE_PWD_CHANGE
flag set, and the user's password expires. A system
manager can clear this flag. By default, passwords
are not set to expire after login (NOPWD2_EXPIRED).
PWDMIX Enables case-sensitive and extended-character
passwords.
After PWDMIX is specified, you can then use mixed-
case and extended characters in passwords. Be aware
that before the PWDMIX flag is enabled, the system
stores passwords in all upper-case. Therefore, until
you change passwords, you must enter your pre-PWDMIX
passwords in upper-case.
To change the password after PWDMIX is enabled:
o You (the user) can use the DCL command SET
PASSWORD, specifying the new mixed-case password
(omitting quotation marks).
o You (the system manager) can use the AUTHORIZE
command MODIFY/PASSWORD, and enclose the user's
new mixed-case password in quotation marks " ".
RESTRICTED Prevents the user from changing any defaults at
login (for example, by specifying /LGICMD) and
prohibits user specification of a CLI with the
/CLI qualifier. The RESTRICTED flag establishes
an environment where Ctrl/Y interrupts are initially
turned off; however, command procedures can still
turn on Ctrl/Y interrupts with the DCL command SET
CONTROL=Y. Typically, this flag is used to prevent
an applications user from having unrestricted access
to the CLI. By default, a user can change defaults
(NORESTRICTED).
VMSAUTH Allows account to use standard (SYSUAF)
authentication when the EXTAUTH flag would otherwise
require external authentication. This depends on the
application. An application specifies the VMS domain
of interpretation when calling SYS$ACM to request
standard VMS authentication for a user account that
normally uses external authentication.