I'm assuming this is working as designed, but just wanted to make sure:
UP Policy is set to use MS 2008 Complexity
Require unique passwords
Remove passwords when list is full. History list size: 13
Number of days before pass can be changed: 1
Number of days before pass expires: 90
Now, user either can't/won't use the Forgotten Password (see my post in the SSPR forum for issues we're having), so calls the helpdesk.
Helpdesk manually changes his password, which of course, expires the password.
User logs in with new password and is prompted to change their password.
User changes their password.
Next day (within 24 hours), user forgets again (yeup). Doesn't/can't/won't use the Forgotten Password (although it wouldn't work anyway in my testing--at least with the latest Novell Cliient). Calls helpdesk to have his password reset/changed.
Helpdesk does that. Which expires the password.
User logs in and is prompted to change password, but can't because:
BTW, same would happen if user tried to use (successfully) the Forgotten Password and correctly answered their challenge/response questions, because 1 day hasn't passed. --At least if using the Novell client. Seems that SSPR bypasses (at least in my testing with our version) this magical loophole, but only on a Forgotten Password.
Q1: I'm assuming the 1 day time for the UP setting hasn't been met yet (SSPR doesn't tell me why the password can't be changed, just that it doesn't match the requirements)?--Actually no, this does NOT work. NMAS keeps re-setting the date to "now", so that's not even an option.
Q2: Only "workarounds" I've found would be to manually increase his expiration date of the password by 1 day so user could login with "temp" password until the 24 hours has lapsed?
Any other workarounds (short of abusing the user)?
I've got a "sorta" workaround by using SSPR, provided the user has used SSPR to answer their challenge/response questions (won't work if you use the Novell Client to answer your challenge/response questions for some reason) - in that, SSPR "forgotten password" seems to bypass the 24 hour setting. Novell Client, however, will adhere to that.