Different methods to Lock or unlock SAP users

I want to lock all the users in SAP during MTP.  I know using SU10 we can do it. Any other alternative ways to lock the users.

Is there a way in SAP to unlock a locked user for a limited time, then automatically after x time set the user back to lock status? 

You can fill in "valid from" and "valid until", but you cannot say from Monday to Friday from 8 - 12:00 for part time workers. 

Can we schedule to lock all users?

If users get locked, from SU01 you can unlock them. 

Use SU10 to mass lock/unlock the users.

Use address data or authorisation data to get a list of users - select the ones you want and 

click transfer. 

Once this is done click on lock or unlock. 

You can also use transaction code EWZ5 to mass lock/unlock the users

or 

Execute program EWULKUSR in SE38

or 

Set a profile parameter (login/failed_user_auto_unlock) to unlock at midnight the locked users. 

or 

Here's an ABAP code, short and simple, isn't it? 

REPORT zreusrlock. 

DATA: time_limit TYPE sy-datum. 
DATA: days TYPE i VALUE 40. 

time_limit = sy-datum - days. 
UPDATE usr02 SET uflag = 64 WHERE trdat < time_limit.

If you don't want to specify the time in the program, you can use SE38 to schedule it as a daily background job with the date and time.

or

Probably the easiest way would be to write a sqlplus SQL script that sets all the UFLAG fields in table USR02 to 64 EXCEPT for the BNAMEs you don't want locked. When you are done, you can do the same again but change the UFLAG field to 0. 

The SQL statement would look like: 

update SAPR3.USR02 set UFLAG = 64 where MANDT = <client number> and BNAME != <don't lock user 1> 
AND BNAME != <don't lock user 2>; 

You can replace != with <> if you want. To run this from an OS command line, you would type: 

Unix/Oracle 8---> sqlplus internal @<SQLpath+SQLname> 
NT/Oracle 8.0---> plus80 internal @<SQLpath+SQLname> 
NT/Oracle 8.1---> sqlplus internal @s<SQLpath+SQLname> 
Unix/Oracle 9:--> sqlplus /nolog @<SQLpath+SQLname> 
NT/Oracle 9-----> sqlplus /nolog @<SQLpath+SQLname> 

In UNIX you can cron the script to schedule it. In NT you can schedule it as a task.

or

This is another method to UNLOCK ALL users. 

Start Oracle Server manager (I assume you are on Oracle) 
connect internal 
update sapr3.usr02 set uflag='0' where mandt='399'; 

When users are locked, the uflag is set to 64. 

Finish, just query to check. 

select bname, uflag from sapr3.usr02 where mandt='399'; 

Please note that unlocking users from low level (like Oracle sqlplus) should be used as last resort. Frequent use of low level access may tempt you to use on other things. Highly dangerous and your IS auditors will not be too happy. 

Is there a way to set a list of users that cannot be locked, even if we try to lock them manually, and even if they fail connection ( wrong password )?

Increase this parameter in SAP Instance profile: 

login/fails_to_user_lock = 6 (max is 99 wrong attempts, i.e, value 99). Currently you have a value of 3. 

login/failed_user_auto_unlock (for your midnight unlocking). 

Ask users to remember passwords!! If someone is deliberately login-in with different username/password (thereby blocking legitimate access of that user), check hostname from SM21. 

This is considered as DoS (Denial of Service). 

SAP BC Tips

Reference to related Topics:
How to change the default password for user sap*?
Changing the default password for sap* user

Auditing
The Step required to Audit at the User Level 

Get help regarding your Basis problems 
Do you have a SAP Basis Question?

SAP Basis Admin Books
SAP System Administration, Security, Authorization, ALE, Performance Tuning Reference Books

Best regards,
SAP Basis, ABAP Programming and Other IMG Stuff
http://www.erpgreat.com

All the site contents are Copyright © www.erpgreat.com and the content authors. All rights reserved.
All product names are trademarks of their respective companies.  The site www.erpgreat.com is in no way affiliated with SAP AG. 
Every effort is made to ensure the content integrity. Information used on this site is at your own risk. 
 The content on this site may not be reproduced or redistributed without the express written permission of 
www.erpgreat.com or the content authors.