List the user profiles on your system and check for employees who have left or changed their job assignment:
Create a database of your user profiles using the DSPUSRPRF command with the *OUTFILE option, then run a series of query reports to search for expired passwords, profiles with *ALLOBJ authority, and so on as appropriate for your installation. When you have the database, check for records with the field name UPEXPD that have content. These should be the expired profiles and the field will contain the date they expired.
Using "New Nav", you can bring up a list of users, select an option to include the expiration date on the display and then sort on it to quickly identify expired profiles and disable them manually while you're reviewing them.
Check for default passwords:
In Nav, add "default password" to the Users view (Users and Groups >> Users) then use that column to filter a list of user accounts that are still using the default password.
Or, in a terminal session run the Analyze Default Passwords [ANZDFTPWD] command to make sure that no default passwords exist on your system.
Use option *NONE when you run this the first time. This will either tell you that there are no problems or a report will be generated. If a report is generated, check it out before taking any further actions. The other options on the command will make changes to your user profiles, but reviewing the report first will let you decide whether or not to make the changes.