Policy Server Guides › Policy Design Guide › Password Policies › Configure Password Expiration

Configure Password Expiration

To help manage user access, administrators can define events such as multiple failed login attempts or account inactivity. When those events are triggered, the Policy Server disables the user account that triggered the event and optionally redirects the user to a new Web page.

You use the Expiration tab of the Password Policies Properties dialog to configure events that disable user accounts.

Note: All password expiration settings are optional — specify a value for each setting that you want to enable; if you do not want to enable a particular setting, leave the field blank.

Note: When you create or modify a Policy Server object in the Policy Server User Interface, use ASCII characters. Object creation or modification with non-ASCII characters is not supported.

To configure password expiration

1. In the Policy Server User Interface Password Policy Properties dialog, select the Expiration tab.
2. Enable the Track successful logins option to log information about successful user logins, including the time of the last login, to the user directory. This option must be set if you want to configure passwords to expire due to inactivity.

   Note: If you do not need to configure passwords to expire from inactivity, it is recommended that you do not set this option for performance reasons.

3. Enable the Track Failed Logins check box to log information about failed user login attempts to the user directory. This option must be set if you want to configure accounts to be disabled because of unsuccessful logins.
4. Enable or disable the Authenticate on Login Tracking Failure check box:
   • If you enable this check box, users can login even if password data cannot be written to the user directory.
   • If you leave this check box disabled, users cannot login if their activity cannot be written to the user directory.
5. In the Password expires if not changed group box:
   1. Specify the amount of time that may elapse between password changes in the After <number> Days field.
   2. Specify the action that Password Services takes if a password is not changed within the specified time by selecting the disable user or force password change radio button.
   3. Specify how many days in advance users should be notified that their password will expire in the Issue expiration warnings for <number> days field.
6. If you set the Track Failed Logins option, set options in the Incorrect Password group box:
   1. Specify the number of incorrect passwords a user can try before the user’s account is disabled in the Account will be disabled after <number> successive incorrect passwords field.
   2. In the After <number> minutes field, specify the number of minutes that will apply to the condition indicated by the radio buttons described Select one of the following radio buttons to determine the behavior of the password policy if a user fails to login after the number of attempts specified in step 5a:
      • allow 1 login attempt—A user may attempt a single login after the specified number of minutes (Step 5b). For each further failed attempt, the user must wait the specified number of minutes before making another login attempt. For example, consider a value of 3 attempts in step 5a, and a value of 10 minutes in step 5b. If a user fails to login three times, the user may attempt a single login every ten minutes until successful.
      • re-enable account—A user’s account will be re-enabled after the specified number of minutes (Step 5b). The user may attempt as many logins as specified in Step 5a before the user’s account is disabled. For example, consider a value of 3 attempts in step 5a, and a value of 10 minutes in step 5b. If a user fails to login three times, the user may attempt three logins every ten minutes until successful.
7. If you set the Track successful logins option, set options in the Password expires from inactivity group box:
   1. Specify the amount of time that can elapse between user logins in the After <number> Days field.
   2. Specify the action that Password Services takes if users do not login within the specified time by selecting the disable user or force password change radio button.
8. Click Apply to save the changes or click OK to save the changes and return to the Policy Server User Interface.

More information:

Password Policy Dialog—Expiration Tab