Password problems

Previously, all characters that were allowed in i5/OS passwords were also allowed in Windows passwords. Now, i5/OS allows longer passwords and more characters than Windows supports. You should use i5/OS passwords containing only characters and password lengths allowed in Windows passwords if you want to enroll users. More i5/OS password level security information may be found in the Planning Password Level Changes section of the iSeries Security Reference Link to PDF..

If a password keeps expiring each day after being changed from the integrated server console, it means that the user forgot that the password must be changed from i5/OS. Changing the i5/OS password eliminates the problem.

If the i5/OS and Windows server passwords do not match, perform these tasks to determine why.

  1. Check to see if the user is configured as a Windows user. See Types of user configurations.
    1. On the i5/OS command line, type WRKUSRPRF.
    2. Type in the correct UserID.
    3. Check to see if the attribute LCLPWDMGT (Local password management) is set to *NO. If so the user is configured to have an i5/OS password of *NONE and the i5/OS and Windows passwords will not be the same.
  2. Check to see that i5/OS is set to store passwords:
    1. On the i5/OS command line, type WRKSYSVAL SYSVAL(QRETSVRSEC).
    2. Enter a 2 in the Option field; press Enter.
    3. Verify that Retain server security data is set to 1. If it is not, change it to 1.
  3. On the integrated Windows server, make sure that the User Administration Service is running. See Failures enrolling users and groups for related information.
  4. Check to see the i5/OS password support level:
    1. On the i5/OS command line, type WRKSYSVAL SYSVAL(QPWDLVL).
    2. Enter a 5 in the Option field; press Enter.

    The password level of i5/OS can be set to allow user profile passwords from 1 - 10 characters or to allow user profile passwords from 1 - 128 characters. The i5/OS password level of 0 or 1 supports passwords from 1 - 10 characters and limits the set of characters. At level 0 or 1, i5/OS will convert passwords to all lowercase for Windows server. The i5/OS password level of 2 or 3 supports passwords from 1 - 128 characters and allows more characters including upper and lower case characters. At level 2 or 3, i5/OS will preserve password case sensitivity for Windows server. A change to the i5/OS password level takes effect following an IPL.

  5. Check the enrollment status of the user. Make sure the user did not already exist in the Windows environment with a different password before you attempted to enroll the user (see Enroll a single i5/OS user to the Windows environment using iSeries Navigator). If the user did exist with a different password, enrollment will have failed. Change the Windows password to match the i5/OS password; then perform the enrollment procedure again.
  6. If the problem still persists, check the technical information databases at the IBM branded eserverIBM iSeries Support Web page Link outside Information Center.. If you cannot find the solution there, contact your technical support provider.