Explore NY Stream

— LiveStream

To reset a UNIX user password in AIX you unlock the account, zero out the failed login counter, and set a new password with the passwd command — then optionally clear the ADMCHG flag so the user is not forced to change it at first login. This guide walks through the complete, accurate workflow on IBM AIX using lsuser, chuser, passwd, and the smitty menus.

A locked-out account on AIX is rarely a single problem. A user can be blocked because they exhausted their unsuccessful login attempts, because the account itself is administratively locked, or because the password is simply expired. To reset a UNIX user password in AIX reliably, you have to check and clear each of these conditions in order — otherwise you hand the user a fresh password and they still cannot log in.

Why AIX accounts get locked in the first place

AIX stores per-user security attributes in /etc/security/user and /etc/security/passwd, and it tracks runtime state such as the failed-login tally. The most common reasons a user reports they “can’t log in” are:

Too many bad password attempts — once unsuccessful_login_count reaches the loginretries threshold, AIX blocks further logins on that terminal.
The account is locked — account_locked=true, set manually or by policy.
Expired or admin-set password — the ADMCHG flag forces a password change at next login, which can confuse users who expect a permanent password.
Expired account — the expires date has passed.

Always confirm which of these applies before you act. Resetting the password without unlocking the account just wastes a round trip with the requester.

Step-by-step: reset a UNIX user password in AIX

The example below uses a user named cmanton. Run every command as root (or via a role with the appropriate authorizations). Replace the username with your own throughout.

Check the failed-login counter. List the unsuccessful login count to see how close the user is to being locked out:

lsuser -a unsuccessful_login_count cmanton

Typical output: cmanton unsuccessful_login_count=5
Reset the counter to zero. If the count equals or exceeds the configured loginretries value, clear it:

chuser unsuccessful_login_count=0 cmanton
Check whether the account is locked. A non-zero failed count is not the only blocker — verify the explicit lock flag too:

lsuser -a account_locked cmanton

If it returns cmanton account_locked=true, the account is administratively locked.
Unlock the account. Flip the flag back to false:

chuser account_locked=false cmanton
Set the new password. On AIX the correct command is passwd (not password):

passwd cmanton

You will be prompted twice:

Changing password for "cmanton"
cmanton's New password:
Enter the new password again:
Optionally clear the forced-change flag. When root sets a password, AIX adds the ADMCHG flag, which forces the user to change it at first login. If the user must keep the exact password you set, remove that flag (covered below).

That sequence — chuser unsuccessful_login_count=0, chuser account_locked=false, then passwd — is the full, correct way to reset a UNIX user password in AIX from the command line.

Doing it the menu way with smitty

If you prefer a guided interface, AIX ships smitty (the System Management Interface Tool). Launch the user menu:

smitty user

You will see options similar to these:

Menu item	What it does
Add a User	Create a new account
Change a User's Password	Set or reset the password (calls `passwd`)
Change / Show Characteristics of a User	Edit attributes such as `account_locked`
Lock / Unlock a User's Account	Toggle the lock flag
Reset User's Failed Login Count	Zero the unsuccessful login counter
Remove a User	Delete the account
List All Users	Show defined users

To clear a lockout: choose Reset User's Failed Login Count, type the username in the * User NAME entry field, and press Enter. You can press F4 (or Esc+4) on that field to pop up a list of users instead of typing. Then use Change a User's Password to set the new password, and Lock / Unlock a User's Account if the account itself was locked.

A handy shortcut is the fast path: running smitty passwd jumps straight to the change-password panel. Everything smitty does is just a friendly wrapper around the same chuser and passwd commands, so use whichever fits your workflow.

Removing the ADMCHG flag so the password sticks

By default, any password set by an administrator is marked ADMCHG in /etc/security/passwd. On the user’s next login AIX immediately demands a new password. That is the secure default, and for most help-desk resets you should leave it on — the user picks their own secret and you never know it.

But sometimes the requirement is a specific, fixed password (a service account, a shared test box). In that case you must remove the ADMCHG flag. The user’s stanza in /etc/security/passwd looks like this:

cmanton:
    password = YuFGlqKjK0dLE
    lastupdate = 1137692182
    flags = ADMCHG

You have two safe ways to clear it:

Preferred — use pwdadm: run pwdadm -c cmanton. The -c option clears the ADMCHG flag without you hand-editing a system file. This is the supported method and avoids syntax mistakes.
Manual edit: open /etc/security/passwd with a careful editor (vi) and delete ADMCHG from the flags = line for that user, leaving the line as flags = (empty) if it was the only flag.

Note that password = YuFGlqKjK0dLE is the encrypted hash, not the plaintext — you cannot read a user’s real password from this file, and you should never share that hash.

Common pitfalls when you reset a UNIX user password in AIX

Using password instead of passwd. The AIX command is passwd. password is not a standard AIX command and will return “not found.”
Resetting the password but forgetting the lock. If account_locked=true or the failed-login count is still maxed, the new password will not get the user in. Clear both first.
Forgetting ADMCHG. If the user keeps reporting “it asks me to change the password again,” that is the ADMCHG flag doing exactly its job — clear it only if a permanent password is genuinely required.
Overlooked expiry. Check lsuser -a expires cmanton; an expired account (a non-zero past date) blocks login regardless of the password.
Login retries threshold. The lock trips at the value of loginretries — verify it with lsuser -a loginretries cmanton; 0 means unlimited (no auto-lock).
Editing /etc/security/passwd carelessly. A broken stanza can lock everyone out. Take a backup (cp /etc/security/passwd /etc/security/passwd.bak) before manual edits, and prefer pwdadm.

Verification: confirm the reset actually worked

Never close the ticket on faith. Verify each attribute and, ideally, the login itself:

Confirm the counter is zero: lsuser -a unsuccessful_login_count cmanton should show unsuccessful_login_count=0.
Confirm the account is unlocked: lsuser -a account_locked cmanton should show account_locked=false.
Confirm the password state: pwdadm -q cmanton reports the flags; with ADMCHG cleared, the flags line will no longer list it.
Confirm last update: a fresh lastupdate timestamp in /etc/security/passwd proves the password was actually changed.
Test a real login (from a test session or have the user try) before replying to the requester that the password reset has been completed.

Once all four attributes check out and the user can authenticate, you are done. A short, accurate “your password has been reset; you will be asked to set your own at first login” note to the requester closes the loop cleanly.

Quick command reference

Task	Command
Show failed-login count	`lsuser -a unsuccessful_login_count cmanton`
Reset failed-login count	`chuser unsuccessful_login_count=0 cmanton`
Show lock status	`lsuser -a account_locked cmanton`
Unlock the account	`chuser account_locked=false cmanton`
Set the password	`passwd cmanton`
Clear forced-change flag	`pwdadm -c cmanton`
Query password flags	`pwdadm -q cmanton`
Menu interface	`smitty user` or `smitty passwd`

Key Takeaways

To reset a UNIX user password in AIX, clear the failed-login count, unlock the account, then run passwd — in that order.
The AIX command is passwd, not password; use lsuser to read attributes and chuser to change them.
An admin-set password carries the ADMCHG flag, forcing a change at next login; clear it with pwdadm -c only when a fixed password is required.
smitty user (or the smitty passwd fast path) gives the same result through a guided menu.
Always verify with lsuser/pwdadm -q and a test login before reporting the reset complete.

Frequently Asked Questions

What is the command to reset a password in AIX?

Run passwd username as root, for example passwd cmanton. You will be prompted to enter the new password twice. If the account is also locked, first run chuser account_locked=false username and chuser unsuccessful_login_count=0 username.

How do I unlock a locked AIX user account?

Check the status with lsuser -a account_locked username. If it shows account_locked=true, unlock it with chuser account_locked=false username. Also reset the failed-login counter using chuser unsuccessful_login_count=0 username, since a maxed counter blocks login independently of the lock flag.

What does the ADMCHG flag mean in /etc/security/passwd?

ADMCHG means an administrator set the password, so AIX forces the user to change it at their next login. To let a fixed password persist, remove the flag with pwdadm -c username, or manually delete ADMCHG from the user’s flags = line in /etc/security/passwd.

How can I check why an AIX user cannot log in?

Inspect the key attributes together: lsuser -a account_locked unsuccessful_login_count loginretries expires username. A true lock, a counter at or above loginretries, or a past expires date will each block login even with a valid password.

For more practical AIX, Linux, and UNIX system administration walk-throughs, subscribe to our YouTube channel @explorenystream.