Expiring password notification

mat houser mhouser at uwm.edu
Thu Oct 19 16:48:57 EDT 2017

Hello List,

Since the beginning of passwords at UW-Milwaukee they have never been
made to expire after a defined period. Now that the general consensus
appears to be to not arbitrarily expire passwords unless they're
forgotten, compromised or deemed likely to be compromised, our wise
board of regents has decided that we will soon be arbitrarily expiring
passwords every 6 months.

Because we haven't ever expired passwords before, our LDAP doesn't use
the ppolicy overlay, so none of the accounts there have any of the 
relevant ppolicy schema attributes. We have an Active Directory that does
have pwdLastSet, but the problem with that is that we intend to roll
  out the expiring password policy gradually, and if we just took
pwdLastSet and did the thing with idp.authn.LDAP.passwordAge = the
equivalent to six months, everybody with a password older than that
would suddenly be flagged as expiring. I'm fairly confident that the
population that this would affect is almost everybody who hasn't been 
phished recently.

A bit of googling has suggested that msDS-UserPasswordExpiryTimeComputed
could possibly be used, but I'm failing to find any documentation
on how to set it up to trigger the expiring password flow for some
period before expiration. I know that the expired password flow works,
but for some reason the powers that be would prefer to give the users some
warning in advance.

Does anybody have a source for some documentation on how this could be

     -mat houser

mhouser at uwm.edu

More information about the users mailing list