Resolving The Problem

You can check what is disabling a User profile by using the IBM i Security Auditing. You should do the following:

Step 1: You should verify that you have auditing turned on. You can verify this using the following command:
 

DSPSECAUD

You want the QAUDCTL system value to include *AUDLVL and the QAUDLVL value to include *AUTFAIL and *SECURITY; otherwise, you cannot continue with the process below. You should refer to tech note Setting Up Security Auditing on how to set up your security auditing.


Step 2: If you have the auditing turned on, you must query the Auditing journal for CP entries (those entries track all profile changes). You can do it using the following command where yourlib is a library of your choice:
 

CPYAUDJRNE ENTTYP(CP) OUTFILE(yourlib/QAUDIT)

Note: The command above searches for CP entries in the current receiver attached to your auditing journal. If you are not finding entries you need, the journal receiver may have been recently detached. To obtain the needed information, you may want to query the whole receiver chain instead, specifying a time period for the search:
 

CPYAUDJRNE ENTTYP(CP) JRNRCV(*CURCHAIN) FROMTIME('date' 'time') TOTIME('date' 'time') OUTFILE(yourlib/QAUDIT)

Step 3: Now that you have extracted the auditing entries, you must run a query on the file to see what is disabling the profile. Enter:
 

STRSQL

Then, enter the following query:
 

SELECT CPTSTP,
       CPJOB,
       CPUSER,
       CPNBR,
       CPPGM,
       CPPGMLIB,
       CPUSPF,
       CPSYNM,
       CPRPORT,
       CPRADR,
       CPETYP,
       CPONAM,
       CPOLIB,
       CPOTYP,
       CPCMDN,
       CPPCHG,
       CPPNON,
       CPPEXP,
       CPSTAT
    FROM yourlib/QAUDITCP
    WHERE CPSTAT = '*DISABLED'

Scroll to the right with F20 to see the rest of the display.



This should give you a general idea of what is disabling your user profile. For example, in the screen shots above, you can see that User profile PESHO was disabled two times. First, it was disabled by user MAYA with a command from a specific IP address. Then, it was disabled from QSYS by program QLESPI and there is no Remote address. This means that the user probably attempted to log on too many times with the wrong password, and the system disabled it automatically.

If it is the latter case and you want to investigate further, you should refer to Tech Note Tracking IP Address for Invalid Sign-On Attempts to find invalid sign on attempts and what IP address they came from.