Saquib Absent Member.
Absent Member.

Setting independent user password expiration

We have NetIQ iManager v3.0.0 setup. Password--> Password Policies there is option to set universal password. However I want to set independent time frame for password to expire for each users. I do not want password to expire for all users at once. Please help regrading the setup that needs to be done so that customize the expiration days.
1 Reply
Knowledge Partner
Knowledge Partner

Re: Setting independent user password expiration

There may be a misunderstanding; passwords do not all expire at the same
time unless they are all set at the same time, and that is not normally
the case.

It may be good to step back and figure out the business case behind your
desire against "[passwords] to expire for all users at once" since that is
not normally a problem technologically either. I suppose it could mean
calls to the helpdesk, but that too may imply a problem with the
implementation. Ideally passwords should not reach the expired state any
more than milk in your refrigerator should. Having a user forced to
change passwords at all, to say nothing about doing it at the last minute
when they are forced or else they will lose the ability to login, is a
great way for users to end up using, or reusing, weak or written-down
passwords. It is better to give them a notification ahead of time so they
can set it when they are not frantically logging in to do some critical
and time-sensitive task, and when they can think of a new strong password
and remember it without relying on sticky notes.

Better yet, as the security industry has recommended for a while and on
which governments are finally fixing their incorrect opinion: do not
expire otherwise-valid passwords, since a password that is not compromised
is no stronger when you change it, and arguably will be weaker because
humans are forced to remember too many strong passwords, so they default
to weaker passwords or password strategies.

Password policies are policies, meaning they are something defined for the
business rather than being arbitrarily applied on a per-user basis. As
such, what you are asking is contrary to the purpose of a policy and
cannot be done from the policy level.

With that written, you can use the legacy NDS 'Password Expiration Time'
attribute to set a password to expire SOONER than the policy's mandate,
meaning if you have a 365-day policy and the user sets their password
today, you can manually change the user's password to expire sometime
before 365 days from now using iManager, ConsoleOne, LDAP, or anything
else that can modify that attribute (such as Identity Manager (IDM)).

Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.