Administering user accounts

Controlling password expiration

In the Account Manager, select a user name, then select Password Restrictions from the Users menu, then select Expiration.

System defaults are used unless you use the default toggle buttons to unstipple the text fields:

Days allowed between changes: sets how long users must wait before they can change their password again. This prevents users from changing their passwords when they expire and then immediately changing them back to the previous one.
Days until password expires: sets how long a password is valid. When the password expires, the user is prompted to set a new password when they log in.
Days until account is locked: sets the interval between the time when the password expires and the account is automatically locked (preventing the user from logging in). Also known as the ``password lifetime''.

To change the system default values, use these commands:

usermod -D -x "{passwdMinChangeTime value}"
usermod -D -x "{passwdExpirationTime value}"
usermod -D -x "{passwdLifeTime value}"

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above commands.

NOTE: The Low and Traditional security profiles use password restrictions that are very lenient: passwords do not expire, accounts are not locked, and there is no minimum interval between password changes.

The default account initialization files (.cshrc, .profile, .kshrc, and so forth) automatically execute the prwarn(C) utility at login time to warn users about impending password expiration.