探花大神

Your organization鈥檚 strategy for password expiration dictates how long 探花大神 user account passwords are valid and when users need to change their password. This allows your organization to implement security policies that meet your compliance standards. 

探花大神鈥檚 password expiration options let you:

• Set a password lifespan for your organization.
• Require new users to change their temporary password the next time they log in.
• Immediately expire individual user passwords.

Configuring the Password Aging Settings for Expiration 

探花大神鈥檚 Password Aging settings for expiration apply globally for your entire organization. Access and manage these settings from Settings > Security > Password Settings. Learn more in Manage Password and Security Settings.

Considerations:

• Individual users can be exempted from password expiration. See Get Started: Users.
• If a password expires, users will remain logged in as long as they are active. Once they become inactive, such as when the device goes to sleep, the user will be locked out of their account and will need to change their expired password to log in. Learn more in Unlock User Accounts.
  • Alternatively, you can configure the actions taken when a user's password expires for Google Workspace, RADIUS, LDAP and M365/Entra ID via the 探花大神 API.  
• Settings don鈥檛 apply to the 探花大神 Menu Bar App.
• You can鈥檛 modify the password expiration notice on the 探花大神 Menu Bar App/Windows App. Users on 探花大神-managed Mac and Windows devices are encouraged to update their passwords in the 探花大神 Menu Bar App to keep their passwords in sync with Keychain, FileVault and other apps.
  • For MacOS, see Manage MacOS Passwords.
  • For Windows, see Manage Passwords Using the 探花大神 Windows App.

To manage Password Aging settings:

1. Log in to the .
2. Go to Settings > Security.
3. In the Password Settings section, set appropriate Password Aging options for your org
4. Click Save to implement your changes. A confirmation modal appears.
   
5. Users will need to comply with the updated aging setting on their next password change. Click Apply to confirm.
6. If you prefer to set a custom date by which this setting will take place, click Custom Date and select the target date from the calendar.
   • New users added before this date must adhere to the updated password aging settings. If existing users reset their password before this date, their updated password must adhere to the new settings.
     

You can set the following settings for password expiration:

• most recent passwords cannot match each other (limit historical reuse): Specifies the number of unique passwords a user has to create before they can reuse a previous password. Enter a number between 1-24. 
• N daysuntil password expiration: Specify the lifespan (in days) of passwords for your organization. If you don鈥檛 choose to expire passwords, they鈥檙e valid indefinitely. After the lifespan expires, users must change their password.
  • N days prior to password expiration, require password reset at login: If you choose to expire passwords, you can require users to reset their password for a certain number of days before their password expires. This option helps ensure that access to password protected resources isn鈥檛 interrupted by requiring users to change their password before it expires. 
• Allow password change after expiration: You can allow users with expired passwords to change their password from their 探花大神-managed device, alleviating the need for admins to manually reset user passwords. There are some considerations before enabling this, however:
  • After you expire a user鈥檚 password, it鈥檚 immediately invalid; the user is logged out of their device and connected resources, and is required to change their password from their 探花大神-managed device the next time they log in.
  • If you鈥檝e required MFA for the User Portal, your users will need to verify their identities using one of the configured methods.
  • If you haven鈥檛 enabled the Allow password change after expiration setting for your organization and attempt to expire a user鈥檚 password, you can either enable the setting for your org or cancel the password expiration. If you enable the setting for your org, all users with expired passwords are able to reset their password from their 探花大神-managed devices.

Managing Password Expiration for New Users with Temporary Passwords

When you create new users, you can give them a temporary password. To make sure users change their password to a private, secure password quickly, you can require that they change their password the next time they log in to their 探花大神-managed device. 

Read considerations for Allow password change after expiration.

To require a new user to change their temporary password:

1. Log in to the .
2. Go to USER MANAGEMENT > Users. 
3. Click ( + ), then select Manual user entry. Learn about creating users: Get Started: Users.
4. On the New User panel鈥檚 Details tab in the User Security Settings and Permissions section, first, select the Specify initial password, then enter a temporary password for the user. 
5. Next, select the User must change password at next login option. If you haven鈥檛 enabled the Allow password change after expiration setting for your org, you鈥檙e notified on the Force Password Change modal. You can choose to enable setting for your org by clicking force change, or choose not to by clicking cancel. If you enable the setting for your org, all users with expired passwords are able to reset their password. 

Managing Password Expiration for Existing Users

You can manually expire passwords for individual users from the User panel. 

Read considerations for Allow password change after expiration.

To immediately expire a user鈥檚 password and force them to change their password:

1. Log in to the .
2. Go to USER MANAGEMENT > Users.
3. Select a user to view their details.
4. Click the user鈥檚 password status, then select Force Password Change.

5. If you haven鈥檛 enabled the Allow password change after expiration setting for your org, you鈥檙e notified on the Force Password Change modal. You can choose to enable this setting for your org by clicking force change, or choose not to by clicking cancel. If you enable the setting for your org, all users with expired passwords are able to reset their password. 

Managing Password Expiration for Multiple Existing Users

You can manually expire passwords for multiple users from the Users list. 

Read considerations for Allow password change after expiration.

To immediately expire multiple users' passwords and force them to change their password:

1. Log in to the .
2. Go to USER MANAGEMENT > Users.
3. Select the users whose password you want to expire.
4. Click more actions, then select Force Password Change. If you haven鈥檛 enabled the Allow password change after expiration setting for your org, you鈥檙e notified on the Force Password Change modal. You can choose to enable the setting for your org by clicking force change, or choose not to by clicking cancel. If you enable the setting for your org, all users with expired passwords are able to reset their password. 

Allowing a Password Change After Expiration

The following flows assume the Allow password change after expiration setting is enabled for an organization.

Require a New User to Change their Temporary Password

The following flow applies when admins select to require a new user to change their temporary password: 

1. An administrator creates a new user, gives the user a temporary password, and selects User must change password at next login. 
2. The user must change their password the next time they log in to their device:
   • If 探花大神 detects the user is on a Mac or Windows device, they鈥檙e asked to update their password on their device login screen. If you've required MFA for the User Portal, users are required to verify their identity when they change their password.
   • If 探花大神 detects the user is on a Linux device, they can log in to their User Portal using expired credentials and are shown a password change prompt. This prompt can鈥檛 be dismissed. If you've required MFA for the User Portal, users are required to verify their identity when they change their password.

An Existing User鈥檚 Password Expires

The following flow applies when a user鈥檚 password lifespan expires:

1. The user鈥檚 password lifespan is reached and the password expires. 
2. The user is logged out of their device and all 探花大神-managed resources.
3. The user must change their password the next time they log in to their device:
   • If 探花大神 detects the user is on a Mac or Windows device, they鈥檙e asked to update their password on their device login screen. If you've required MFA for the User Portal, users are required to verify their identity when they change their password.
   • If 探花大神 detects the user is on a Linux device, they can log in to their User Portal using expired credentials and are shown a password change prompt. This prompt can鈥檛 be dismissed. If you've required MFA for the User Portal, users are required to verify their identity when they change their password.

Expire an Existing User鈥檚 Password

The following flow applies when an admin expires an existing user鈥檚 password, unless the user is the Samba user: 

1. An administrator selects to view an existing user鈥檚 details. 
2. The administrator clicks the user鈥檚 password status, then selects Force Password Change. 
3. The password is immediately expired and the user is logged out of their device and all 探花大神-managed resources. 
4. The user must change their password the next time they log in to their device:
   • If 探花大神 detects the user is on a Mac or Windows device, they鈥檙e asked to update their password on their device login screen. If you've required MFA for the User Portal, users are required to verify their identity when they change their password.
   • If 探花大神 detects the user is on a Linux device, they can log in to their User Portal using expired credentials and are shown a password change prompt. This prompt can鈥檛 be dismissed. If you've required MFA for the User Portal, users are required to verify their identity when they change their password.

Implementing a Rolling Password Expiration Policy

When enabling password expiration for a 探花大神 organization, the default behavior is to set the password expiration date to the same date and time for all users of a 探花大神 organization. To limit the number of accounts that are set to expire on a given date and time, admins can create a phased, rolling password expiration policy for their organization.

This can be done by enabling the Password Never Expires setting for all users in an organization before enabling password expiration for an organization and then disabling the setting for batches of users at a time.

For organizations that already have password expiration in place, the steps can also be implemented, but doing so will update all users' existing password expiration dates.

Only once the Password Never Expires setting is disabled per user will the global password expiration setting apply to the user's account. 

Examples from the 探花大神 PowerShell Module example library are used to modify users and implement a rolling password expiration policy:

• Step 1:
• Step 2:
• Step 3:

When the setting Password Never Expires setting is disabled for a user, the user鈥檚 account will be set to expire at the current time plus the number of days configured for expiration. As an administrator, you can choose the duration between batches of users you disable the expire setting for in your organization.

Forcing an Org-Wide Password Reset

Organizations may want, or sometimes have an immediate need, to have their entire user base reset passwords. There are many ways to facilitate this with the 探花大神. There are advantages and disadvantages for each option, ways to initiate the reset flows, and variations in user experience that result.

See Force an Organization-Wide Password Reset to learn more.