KBA-01582: Password Expiration and Requiring a New Password

Question:

Can I make passwords expire after a certain number of days?
Can I make a user (or bunch of users) have to change their password?
Can I make an unused account expire?

Answer:

Yes.

Password Expiration

In order to have a password expiration policy that requires a password change every 30-day, 42-day, or whatever interval, you begin in ICTool.

  • Specify the number of days between required password changes then republish.  After the republish, all users that do not have the ‘password never expires‘ option checked on their Contact Details (shown below) will be subject to this policy.

Note: When first enabling the Password Expires option you might want to give users a grace period; see Additional Comments below.  A few days prior to expiration, users will be encouraged to change their password.  After expiration, they will be forced to change their password, just as if the ‘must change password‘ option on the Contact Detail were checked.

Note: You may wish to begin by deciding which users should have the ‘password never expires‘ option.

One Time Change

You can require one or more users to change their password the next time they log in by checking the ‘must change password‘ check box at the bottom of the General tab of the Contact Detail form.  Immediately upon the user‘s next successful login, they will be taken to the password change dialog.  The user will be required to enter the old password again and then the new password twice.

Note: prior to V2019.0.7225, the Must Change Password checkbox will not appear if the Expire PW After field in ICTool (shown above) is set to zero.

Account Expiration

You can specify a date after which a user account is no longer usable.  You might do this for a temporary or terminated employee.  You can also specify that an account becomes inactive after a specified number of days without use.

Note: Unlike password expiration or recovery, an expired account requires administrative review and action to re-enable the user account.   Set the Valid Until field (shown in the second image above) to enforce a specific date.  For sliding expiration, review the setting specified in ICTool (default is 45 days) and adjust as desired.  Check the ‘Expire Account if Unused‘ option (shown above).  If you review the login in the future, the ‘Valid Until‘ date will continually update to 45 days after the user‘s last login.

Additional Comments:

If you are enacting a mandatory password expiration, many users may suddenly find themselves with expired passwords.  You might wish to give users a grace period by pretending that all users have recently changed their passwords.  To do this, use SQL Management Studio and run the following command in the target database.  You might change the 7 to a different portion of your password change interval:

UPDATE

dbo . xsfUser SET lastpwchange = dateadd ( day ,- 7 , getdate ()) WHERE sfuser = 1 and ISNULL ( lastpwchange , ‘1900-01-01‘ )< dateadd ( day ,- 7 , getdate ())

If you want to set most users to be subject to password aging, and then apply exception based on membership in one or more roles, you might  use SQL Management Studio and run a script similar to:

UPDATE

uu SET uu.PWAging = 1 FROM dbo.xsfUser uu WHERE sfUser=1
UPDATE uu
SET uu.PWAging = 0
F
ROM dbo.xsfUser uu
WHERE
 sfUser=1
and exists (select * from dbo.vsf_ExpandedUserRoles xr where xr.UserKey = uu.UserKey and xr.RoleName like ‘%NotEver%‘)


KBA-01582; Last updated: October 14, 2019 at 11:55 am