AIX 5.3 - What does admin=true means?

Hi

I am not that clear about what kind of user is the one with this setting: admin=true. Per IBM reference
"The user is an administrator. Only the root user can change the attributes of users defined as administrators. "

However, I've also seen on other sites that it means that only root can change the password of this user.

So my question is, does the user with admin=true have full (administrator) access to the system or is just a restriction on who can change the user password?

Any thoughts would be appreciated.

Thanks!
LVL 41
ralmadaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

woolmilkporcCommented:

Hi,
this flag applies to users and groups.

Normally, user attributes can be changed by root and the members of the security group (gid = 7).
With the admin flag set to true, only root can change such attributes.

For groups, you can have group admins. These users normally can change the attributes (and list of members) of the groups they are admins for, unless the admin flag of the group is set to true, which means, like for users above, that only root can do such changes.
 
That's all. admin=true doesn't have other effects than the ones I wrote above. Particularly, it doesn't give the affected user or group any privileges.

Using your words: " [It] is just a restriction on who can change the user password..."
 
wmp
0
ralmadaAuthor Commented:
Thanks wmp.
One follow up question then. How can I determine if an user is an administrator or not? What command should I execute?
Sorry I'm a newbie in AIX.
0
woolmilkporcCommented:
No reason to be sorry.  I'm always pleased to be able to help.

"... is an admin ..."  is not quite correct. You should have said "... whose account is under admin restriction ..."
The appropriate command would be:

lsuser -a admin username

Output could be

username admin=true     (or false, of course)

Instead of username you can also use ALL (uppercase) to list all users.

The command for group is (you guess it):

lsgroup -a admin groupname

Please have a look at this EE case, where I explain 'lsuser' in detail:

http://www.experts-exchange.com/OS/Unix/AIX/Q_24519566.html

More questions? You're welcome!

wmp





0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ralmadaAuthor Commented:
Thanks so much! You've been very helpful
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.