KBA-01582: Password Expiration and Requiring a New Password

Question:

Can I set a minimum for password length?
Can I make passwords expire after a certain number of days?
Can I make a user (or all users) have to change their password?
Can I make an unused account expire?

Answer:

Password Expiration

In order to have a password expiration policy that requires a password change every 30-day, 42-day, or whatever interval, you begin in ICTool.

  • Specify the number of days between required password changes then republish (i.e. on the Finish tab).  After the republish, all users that do not have the ‘password never expires‘ option checked on their Contact Details (shown below) will be subject to this policy.

Note: When first enabling the Password Expires option you might want to give users a grace period; see Additional Comments below.  A few days prior to expiration, users will be encouraged to change their password.  After expiration, they will be forced to change their password, just as if the ‘must change password‘ option on the Contact Detail were checked.

Note: You may wish to begin by deciding which users should have the ‘password never expires‘ option.

One Time Change

You can require one or more users to change their password the next time they log in by checking the ‘must change password‘ check box at the bottom of the General tab of the Contact Detail form.  Immediately upon the user‘s next successful login, they will be taken to the password change dialog.  The user will be required to enter the old password again and then the new password twice.

Account Expiration

You can indicate that the account should be expired if unused. You might do this for a temporary or terminated employee.

Note: Unlike password expiration or recovery, an expired account requires administrative review and action to re-enable the user account.   Set the Valid Until field (shown in the second image above) to enforce a specific date.  Check the ‘Expire Account if Unused‘ option (shown above).  If you review the login in the future, the ‘Valid Until‘ date will continually update to 45 days after the user‘s last login.

Additional Comments:

If you are enacting a mandatory password expiration, many users may suddenly find themselves with expired passwords.  You might wish to give users a grace period by pretending that all users have recently changed their passwords.  To do this, use SQL Management Studio and run the following command in the target database.  You might change the 7 to a different portion of your password change interval:

UPDATE

dbo . xsfUser SET lastpwchange = dateadd ( day ,- 7 , getdate ()) WHERE sfuser = 1 and ISNULL ( lastpwchange , ‘1900-01-01‘ )< dateadd ( day ,- 7 , getdate ())

If you want to set most users to be subject to password aging, and then apply exception based on membership in one or more roles, you might  use SQL Management Studio and run a script similar to:

UPDATE

uu SET uu.PWAging = 1 FROM dbo.xsfUser uu WHERE sfUser=1
UPDATE uu
SET uu.PWAging = 0
F
ROM dbo.xsfUser uu
WHERE
 sfUser=1
and exists (select * from dbo.vsf_ExpandedUserRoles xr where xr.UserKey = uu.UserKey and xr.RoleName like ‘%NotEver%‘)


KBA-01582; Last updated: May 16, 2023 at 14:17 pm