Well, the activity log won't tell you exactly where the commands are coming from, just the account. But my guess would be, since this is an AIX TSM server, that somebody has scripts running from cron that use the Operator account and have the password hardcoded in.
I would get somebody with root privileges in the server to help you dig through the crontab entries (it may run from somewhere other than root's crontab) and then grep through scripts with likely sounding names looking for dsmadmc, or operator. Best of luck to you. Just a tip, but for these sort of scripts we set up a special privileged account who's password doesn't expire, and almost nobody knows the password to. Best Regards, John D. Schneider Lead Systems Administrator - Storage Sisters of Mercy Health Systems Email: [EMAIL PROTECTED] -----Original Message----- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED] On Behalf Of Haberstroh, Debbie (IT) Sent: Tuesday, January 22, 2008 2:46 PM To: [email protected] Subject: [ADSM-L] TSM admin password expired Hi all, I have a server that was recently updated to 5.4 from an old TSM server. One of the admin accounts, called OPERATOR, had a password expire over the weekend so this morning the administrator updated the password. Now we are getting the following messages: 1/22/08 2:00:00 PM CST ANR0407I Session 17320 started for administrator OPERATOR (AIX) (Tcp/Ip aixdb(64763)). (SESSION: 17320) 1/22/08 2:00:00 PM CST ANR2177I OPERATOR has 1 invalid sign-on attempts. The limit is 3. (SESSION: 17320) 1/22/08 2:00:00 PM CST ANR0418W Session 17320 for administrator OPERATOR (AIX) is refused because an incorrect password was submitted. (SESSION: 17320) How do we find out what jobs are trying to run with this account so we can reset it? This would have been setup a long time ago by an administrator that is no longer here. Any help would be appreciated, thanks. Debbie Haberstroh Server Administration Northrop Grumman Information Technology Commercial, State & Local (CSL)
