???Disable Qxxxxx user profiles???

What we did was to scramble the password for those profile. When and if we need to use one of them, we just reset the password, do the job and scramble it again.

???Disable Qxxxxx user profiles???

We have notice that we have a bunch of Q user profiles on our systems. We would like to know which would be the ones that we might be OK to disable? Any ideas? Any help would be greatly appreciated. Thank you in advanced.

???Disable Qxxxxx user profiles???

I would not disable any of the IBM profiles - but not every "Q" profile is guaranteed to be an IBM profile. Here is a method of determining which are legitimate. First look in the Security Reference Manual - Appendix B has a list of all the user profiles that IBM uses. Not every profile that is listed in the manual may be on your system - it depends on which LPP's you have installed - but this is a good place to start. On my V5R1 system I have 44 IBM profiles. Second, - just to verify the results of step one - you can do a DSPOBJD on each of these profiles to see when and where it was created. If the profile object was created on system '00000000' by user '*IBM', it's a pretty good bet that the it's a legitimate IBM User. On my V5R1 system the only profiles that didn't fit this bill were QNETWARE, QTMPLPD and QTMTWSG. Those profiles were created on my system by user QLPINSTALL at the date and time of my OS installation. As far as disabling - I wouldn't recommend that you do that to IBM profiles. Better to simply set their passwords to *NONE so that no one can sign on as that user. If you attempt to do this, you will find that only 11 of the 44 profiles will actually allow you to change them. Those profiles are QBRMS, QEJB, QNETWARE, QPGMR, QRJE, QSECOFR, QSRV, QSRVBAS, QSYSOPR, QTMHHTTP, QTMPLPD, QTMTWSG, AND QUSER. On these profiles only QSECOFR is actually shipped with an active password, the others are shipped from the factory with a password of *NONE. For the truly paranoid you could go back and change all of these profiles (Except QSECOFR – you’ll need that one) to password of *NONE again, but this would only be necessary if you were concerned that some of these profiles had been tampered with. jte