I have a question for my understanding:
I assign a user a password policy that forces a password change and thus causes a users password to be expired; if I then, before the user changes the password, assign another policy, which has no setting to force password changes - is the password still expired? According to my testing it seems to be so. But I don't really understand how it works: does eDirectory set a flag somewhere to mark that password expired? Is it not a process that computes the expiration status on every login?
Thanks a lot, that clarifies it.
I did look for an attribute like "Password Expiration Time" and did not find it. Obliviously this attribute is not shown in iManager's "Other" tab, because its shown under "Force periodic password changes" even if this is disabled. So, if there is a value there, then the password will expire, regardless if "Force periodic password changes" is enabled or not, right? And enabling this, "Apply", and again disabling it will get rid of the "Password Expiration Time" for this user.
And the attribute is visible via LDAP of course - I should have looked there before, sometimes iManager is misleading.
Thanks for helping to sort this out!
AFAIK, this is the behaviour on current code (it's been different in the past). Other restrictions would still apply, though. So imagine user1 with an expired password (six digits long). You assign him a "non-expiring" policy with a minimum length of 8 and compliance check enabled, tick and untick "force periodic changes". In this case case he'll still get the "password expired" prompt (due to insufficient password length).