How can I set password expiration without locking out accounts?
Several years ago we enabled Check Password in each user's person document, but did not specify a required change interval. We are now running 6.5.2 and using policies, but still have Check Password enabled in the person documents. Now we need to set a password expiration of 90 days for all users. When I create a security policy and apply it to a user who has not changed their password within the last 90 days, their account is locked out until they change their password, which is not the desired result. How can I set password expiration without locking out accounts? I've tried removing the password digest and changing the "last change date" to today and the users still need to change their password before they can access the server.
This will happen as the security policy is applied to the users for the first time. I have come across this issue, where -- like you -- password checking had been in force and was now "superceded" by the security policy settings.
The first time the policy is invoked, the security policy will check the last password date, which appears to come from the notes.id file rather than from the person document, as you have indicated. If the last change date is greater than 90 days, then the security policy settings are applied.
In my experience, if you are going to implement security settings via policy documents, it is best to remove the previous process -- that is, standard password checking through the Domino Directory -- and then apply the security policy once password checking (i.e., Domino Directory, "Actions" menu, "Set Password Fields," "Don't Check password") has been disabled.
This was first published in June 2005