Force Password Expire on Creation

Similar Messages

• How to check: password expired,password forced to change,user disable

  I am writing application to detect the following. I just need to check whether the condition is true. What are the things that I need to check for:
  - when a user password is going to expired in x days?
  - when a user is forced to changed a his password?
  - when a user is disabled? For this, do I check the attribute "nsaccountlock=true"?
  Chooichin

  I am writing application to detect the following. I
  just need to check whether the condition is true.
  What are the things that I need to check for:
  - when a user password is going to expired in x
  days?
  you can use he passwordControls during a BIND operation and investigate if the password expired/expiring in so many secs
  - when a user is forced to changed a his password?
  - when a user is disabled? For this, do I check the
  attribute "nsaccountlock=true"?Yes, if some interface is actually using this to disable the user in the first place.
  >
  Chooichin

• How to implement Force password change during authentication

  Description of problem
  Our client requires web applications to support its internal security policy beyond
  normal authentication. This includes:
  - force password change periodically. This should be performed at logon time.
  - maintain password history so that a new password would not repeat any of its
  previous 15 changes.
  We already have an authentication server that satisfy these requirements. However,
  we would also like to base our solution on WebLogic security framework so that
  we can leverage the benefit of the container-managed declarative security (e.g.
  we don't need to use our special cookie to check whether a user is authenticated
  for every web page in the application). So the best scenario for us is to wrap
  up this authentication server using WLS 7.0 authentication SSPI.
  My initial investigation of WLS 7.0 security framework (based on edocs and the
  sample customer security provider codes) convinced me that overall, this is achievable.
  However, I am still left with quite a few questions, which I would like to get
  your help.
  Questions:
  1. (web container) The J2EE-standard container-based authentication is to specify
  <login-config> element. My understanding is that only FORM based authentication
  is applicable. The specified form elements:
  <form method="post" action="j_security_check">
  <INPUT TYPE="TEXT" NAME="j_username">
  <INPUT TYPE= "password" NAME="j_password">
  </form>
  is adequate for authentication. However, if the authentication service provider
  indicates that password change is needed, what would be the most appropriate way
  within WebLogic for the authentication service provider to pass such a flag to
  the web container know so that our application can access it? I guess, a simpler
  question, would be, using the standard <login-config>, webapp knows only about
  authentication fails or succeeds. Can it possibly know more information provided
  by the authentication service provider right after authentication?
  2) If we don't use standard FORM-based authentication, we will code up our own
  authentication control, which could give us a lot more flexibility, but can we
  then bind our Subject obtained through our authentication control to the WebLogic
  Subject that is running the webapp.
  3) (Authentication service provider) Our design is for the custom LoginModule
  to delegate login calls to the authentication server, and throws more refined
  exceptions such as: FailedLoginException, PasswordExpiredException, UserAccountLockedException
  (all subclassed from LoginException). Another approach is to provide detailed
  information such as password expired in callbacks. Either way, when Authentication
  service provider returns, how our web application can access this refined flag
  of authentication result.
  4) Can our customer authentication service provider use DataSource defined in
  a weblogic server? I ask this question because DataSource itself is a protected
  resource of WebLogic. Will referencing it during authentication initiate another
  authentication cycle?
  Can anyone who has experienced similar requirements and worked solutions please
  give me a hint? I appreciate your guidance.
  regards
  Licheng

  "Licheng" == Licheng <[email protected]> writes:
  Licheng> Description of problem
  Licheng> Our client requires web applications to support its internal security policy beyond
  Licheng> normal authentication. This includes:
  Licheng> - force password change periodically. This should be performed at logon time.
  Licheng> - maintain password history so that a new password would not repeat any of its
  Licheng> previous 15 changes.
  Licheng> ..
  Licheng> We already have an authentication server that satisfy these requirements. However,
  Licheng> we would also like to base our solution on WebLogic security framework so that
  Licheng> we can leverage the benefit of the container-managed declarative security (e.g.
  Licheng> we don't need to use our special cookie to check whether a user is authenticated
  Licheng> for every web page in the application). So the best scenario for us is to wrap
  Licheng> up this authentication server using WLS 7.0 authentication SSPI.
  I believe it's impractical to fit the requirement of forcing a password change
  into the standard JAAS interface.
  I think the only practical way to do this is to implement a servlet filter that
  reads the persistent record of the logged-in user to check for a "force change
  password flag". If it finds this, the servlet filter will forward to a page to
  change your password. Note that the servlet filter may be hit again when
  trying to get to the change password page, so it needs to know to not do the
  check in that case.
  If you implement this, I would strongly urge you to softcode the "change
  password" page URL in your system configuration, and not hardcode it in the
  servlet filter.
  ===================================================================
  David M. Karr ; Java/J2EE/XML/Unix/C++
  [email protected] ; SCJP; SCWCD

• ADFS 3.0 and force password change

  I was wondering if anyone knows if ADFS 3.0 supports the AD flag "Force password at first login"?  I know 2.0 does not. I have been integrating Shibboleth with my ADFS and a custom login handler but I would really like to not complicate my
  setup and use straight ADFS if at all possible.  Our ADFS setup would be for a SSO into our on-premise Sharepoint 2010 server. Even if 3.0 returns a error indicating that the password needs changed at least I can then tell the student that and direct
  them to our FIM server to have them register and set their password.  Any thoughts?
  Thanks
  Joe
  Joe M

  Brian,
  I understand that Azure Ad won't store password.  This is all on-premise servers, nothing in Azure.  I see that with ADFS 3.0, if the flag is set to change password at next logon, the user does get a different message than if they just typed a
  wrong password.  I guess what I am looking at doing is instead of them getting the message that their password is expired, redirect them to our FIM server so that they can register for self-service as well as set their new password.  If ADFS 2, the
  returned message was the same whether it was an expired password or a wrong password.  So ADFS 3 is nice in regards to that. Now it is just a matter of trying to take advantage of that.  I thought about maybe creating a relaying party trust to our
  FIM with a claim on that attribute but just not sure how to go about doing that at the moment.
  Joe M

• ISE password expiration for Admin account issue

  OK .. we have been working on getting ISE up and running for a little while now and I have come across an odd and reoccurring issue with my admin accounts. I cannot figure out if there is something that we have missed in the setup or if there is and actual issue with the password policies. It seems that there is a "user" type password policy and then there is an "admin" type policy and am trying ti figure out if they are stepping on each other or something. I am running version 1.2.0.899 with patch 5,1.
  Here is the issue. I have started receiving password expiration reminders for the two admin accounts I have setup on the cluster. I have my address setup for an admin user named "admin" and an admin user named "wberry" and I receive two different e-mails for both accounts. The issue that I have is the dates listed in the e-mails. This is one e-mail that I get:
  The password for your local admin "wberry" is expiring on Mon Jun 01 09:43:03 CDT 2015. Please update immediately, by going to https://mem7700.spd.mli.corp/admin, signing-in, and clicking on the user name at the upper right corner.
  This is the second email that I get for the same account:
  Your network access password will expire on Thu Dec 03 08:43:03 CST 2015. Please contact your system administrator for assistance .
  As you can see the dates in the two messages are completely different. My admin policy is set with expired 180 days after creation and last change and the reminder is set to 10 days prior to expiration. The user password policy lifetime is also 365 days if password not changed with the reminder after 355 days. 
  Thoughts / recommendations.
  Brent

  Here you go:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/4.1/user/guide/UG_over.html#wp1053919
  In fact, to reset the password, you must choose the change password option before you login the GUI.
  Cheers,
  Dom.

• Best way to force password policy on users within 1-2 weeks?

  We have a Server 2008 R2 domain.
  I'd read that the password policy in GPO is only available for Computer Configuration, not User Configuration? Is that correct? 
  If so, that's not very flexible and will make things trickier for us.  
  And regarding enforcing a password policy with a GPO on our local domain, do you know of a way to force users to change their passwords within say 1 week?    (the only options I know of are on the AD User account properties check a box "User
  must change password at next logon" (then you'd have to force them to log out) OR relying on AD's internal formula:
  webactivedirectory.com/.../how-active-directory-calculates-account-password-expiration-dates .  The problem I see with the latter is if your user hasn't changed their pw for a year you'd have to wait a year+how many days you set for max password
  age?
  spnewbie

  To add, the password policy is applied at the domain level and only works at the domain level. It's not the fact that it's at the "Computer Level" or "User Level" or not, it's the fact that it's only set at the domain level.
  Account policies (Password, Lockout and Kerb), are all under the Computer Config because it forces it to apply to all user accounts that access all machines.
  If you tried to create a password policy at any other level (any OU), it won't work. The only option is to use PSOs, as Mahdi pointed out.
  As for that Spiceworks thread, I would suggest to post a question about a specific product to the product vendor's support forum for accurate responses.
  Here's an excerpt from MOC 6425C Configuring and Troubleshooting Windows Server 2008 Active Directory, page 10-8 (and this applies to all versions of AD):
  Active Directory supports one set of password and lockout policies for a domain. These policies are configured in a GPO that is scoped to the domain. A new domain contains a GPO called the Default Domain Policy that is linked to the domain and that includes
  the default policy settings for password, account lockout, and Kerberos policies. You can change the settings by editing the Default Domain Policy GPO.
  The best practice is to edit the Default Domain Policy GPO to specify the password policy settings for your organization. You should also use the Default Domain Policy GPO to specify account lockout policies and Kerberos policies. Do not use the Default
  Domain Policy GPO to deploy any other custom policy settings. In other words, the Default Domain Policy GPO only defines the password, account lockout, and Kerberos policies for the domain. Additionally, do not define password, account lockout, or Kerberos
  policies for the domain in any other GPO.
  The password settings configured in the Default Domain Policy affect all user accounts in the domain. The settings can be overridden, however, by the password-related properties of the individual user accounts. On the Account tab of a user's Properties dialog
  box, you can specify settings such as Password Never Expires or Store Passwords Using Reversible Encryption. For example, if five users have an application that requires direct access to their passwords, you can configure the accounts for those users to store
  their passwords by using reversible encryption.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• No password expiration date

  Hi all,
  I am working on a web service in order to modify the password expiration date.
  In particular, they requested me to set password never expires at user's creation moment.
  I wrote something like this:
  uacc = UMFactory.getUserAccountFactory().newUserAccount(susUserName, newUser.getUniqueID());
  uacc.setPassword(susUserPassword);
                           uacc.setPasswordChangeRequired(false);
  but users continue to be created with the usual password expiration date.
  I tried to search something in my library that could help me, but with no luck. In particular, I tried using the method setPasswodExpirationDate of ISecurityPolicy and of class SecurityPolicy, but I cannot find a method to link this methods to user account. I have also seen that changing the security policy to "Technical User" I may overcome the problem, but the method setSecurityPolicy is not implemented in the libraries on server.
  Could you please give me some advices on this topic? I really do not have anymore ideas.
  Best Regards,
  Francesco Macaluso

  Use the below code to set your user as technical user.
                IUserAccountFactory uaFactory= UMFactory.getUserAccountFactory();
                IUserAccount userAccount=uaFactory.getUserAccountByLogonId("<userID");
                IUserAccount mutableUserAccount=uaFactory.getMutableUserAccount(userAccount.getUniqueID());
                mutableUserAccount.setAttribute("com.sap.security.core.usermanagement","SecurityPolicy",new String[]{IUserAccount.SECURITY_POLICY_TYPE_TECHNICAL});              
                mutableUserAccount.commit();
  Thanks
  Prashant

• FRM-92101 when password expired

  Hi there,
  I have a custom login form. If the user's password has expired i am getting FRM-92101 error.
  This is the code i have when the user clicks on connect button
  IF (lv_errnum = 28001) -- password expired
  THEN
  al_id := FIND_ALERT ('ERRS');
  SET_ALERT_PROPERTY
  (al_id,
  alert_message_text,
  'Your password has expired. Please enter a new password in the next pop up window.'
  al_button := SHOW_ALERT (al_id);
  LOGOUT;
  LOGON (:logon_block.username,
  :logon_block.PASSWORD || '@' || :logon_block.dbconnect,
  TRUE
  RETURN TRUE;
  At LOGON, 92101 is occuring, oracle's default change password block is not popping up. I want it to pop up.
  Can anybody help me??
  Thanks

  Instead of hardcoding values, i created another datablock to accept new values and moved LOGON to the OK button.
  My old code has been modified as
  ELSIF (lv_errnum = 28001) -- password expired
  THEN
  al_id := FIND_ALERT ('ERRS');
  SET_ALERT_PROPERTY
  (al_id,
  alert_message_text,
  'Your password has expired. Please enter a new password in the next pop up window.'
  al_button := SHOW_ALERT (al_id);
  message('before msg level');
  message('before change pwd');
  go_block('Chg_pwd');
  RETURN TRUE;
  When button pressed for OK button
  message('begin ok button');
  LOGON(LOGON (:chg_pwd.uname,
  :chg_pwd.new_pwd || '@' || :logon_block.dbconnect,
  TRUE
  Even before message, 'before change pwd' shows up, 92101 pops up.
  I have another question, how do you force oracle default password change pop up to show up?
  Thanks

• Windows domain password expired

  Macbook Pro, bound to Windows domain, running 10.7.5
  This one user's domain password expired.  Now, she can't log into the Mac with her new password.  That's all.
  I'm a Windows admin, but I'm fairly competent in supporting OSX.  I'm hoping there's a very easy fix to sync their current password with the domain controller.  For my first trick, I've tried plugging her into the wired network until the red dot goes away and network accounts are "available".  Didn't work.  Unbind, re-bind to domain didn't help either.  Other AD accounts can log into this Macbook with their current passwords (for example: I haven't logged in in over 90 days, our default password expiration period, and I could get in just fine AND I was prompted to update my keychain password)
  Side note:  I was hoping to find the equivalent of a "gpupdate /force" for OSX, but that seems to be hard to find.
  What other information is needed?
  Thanks!

  Hi, did you manage to solve this?
  I have a similar issue:
  - Suddenly, more than one week ago, I could not unlock my Mac, hence I believed that my domain password had exipred
  - By using Outlook Web Access I logged in with the old password, which made me realise that the password wasn't expired after all
  - I thought it was useful to change the password anyway, and I did that using OWA
  - I got back to the Mac and realised that I could not login with neither the old and new passwords!
  - I forced reboot the Mac, and now I can login only with the *old* password, the one that stopped working!
  Since then, I need to use the old password on the Mac and the new on all other network resources associated to the domain. All of this happened while in my office, so no networking complications. I have spent time with the Mac still on the same network but the new password never got 'propagated' to it since. 
  G.

• DS 6.2 and password expiration

  Hello,
  I'm having problems enforcing password expiration with DSEE. We have two Solaris 10 DSEE 6.2 servers configured with multi-master replication. The clients are running Solaris 8 (117350-47 Jun 2007 kernel patch level), and are using pam_ldap authentication.
  Using either telnet (just as a test) or ssh to login, I don't receive warnings of password expiration, nor is the account locked after passwordExpirationTime is exceeded.
  As an example, I can still authenticate as a user with this passwordExpirationTime:
  passwordExpirationTime=20071123163438Z
  The following is our DSEE password policy:
  pwd-accept-hashed-pwd-enabled : off
  pwd-check-enabled : on
  pwd-compat-mode : DS6-mode
  pwd-expire-no-warning-enabled : on
  pwd-expire-warning-delay : 4w
  pwd-failure-count-interval : 10m
  pwd-grace-login-limit : disabled
  pwd-keep-last-auth-time-enabled : on
  pwd-lockout-duration : disabled
  pwd-lockout-enabled : on
  pwd-lockout-repl-priority-enabled : on
  pwd-max-age : 12w6d
  pwd-max-failure-count : 4
  pwd-max-history-count : 3
  pwd-min-age : 1w
  pwd-min-length : 6
  pwd-mod-gen-length : 6
  pwd-must-change-enabled : off
  pwd-root-dn-bypass-enabled : off
  pwd-safe-modify-enabled : off
  pwd-storage-scheme : SSHA
  pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
  pwd-strong-check-enabled : on
  pwd-strong-check-require-charset : any-three
  pwd-supported-storage-scheme : CRYPT
  pwd-supported-storage-scheme : SHA
  pwd-supported-storage-scheme : SSHA
  pwd-supported-storage-scheme : NS-MTA-MD5
  pwd-supported-storage-scheme : CLEAR
  pwd-user-change-enabled : on
  Am I missing something obvious in the DSEE password policy? Would any other information be helpful in troubleshooting, such as /etc/pam.conf, patch levels of other packages, etc.?
  Thanks!

  If your DS6 instance is in DS5-compatible-mode (see above references), passwordExpirationTime is not ignored; however, please note that modifying server operational attributes via protocol has never been supported.
  A supported way to force a user to change his or her password (without administratively resetting the password) would be to define a specialized password policy with a small max-age value (but maintaining the relationship pwdMinAge+pwdExpireWarning<pwdMaxAge), and use Roles/CoS to scope the policy to the user entry that requires a password change, but for which the password has not yet been changed. A value of pwdChangedTime in the past (or its absence from the entry) would indicate that the password had not yet been changed as requested. If the DS6 instance is in DS5-compatible-mode, you will need to enable grace logins via passwordWarning in the policy, while if the DS6 instance is in DS6-migration-mode or DS6-mode, you will also need to enable grace logins via pwdGraceAuthNLimit in the policy. Otherwise, the user cannot bind with an expired password.
  OpenDS includes a "must-change-by" feature in the password policy that simplifies configuring the specialized password policy, but I'm not aware of any plans to add this feature to DS6.

• DS 6.3 password expiration oddities

  I have been exploring an upgrade from DS5.2 to DS 6.3 to take advantage of the enhanced password policies and password expiration that have never worked quite right in DS5.2.
  The previous 5.2 and migrated 6.3 environments both use netgroups to restrict logins to specific systems.
  This generally works very well, although I'm seeing weirdness for local system accounts.
  I've explored the forums, tweaked pam.conf and nsswitch.conf in pretty much every way that's been suggested.
  DS 6.3 is setup on Solaris 10, and my client systems are Solaris 8, with all of the latest necessary patches applied.
  nsswitch has:
  passwd: compat
  group: compat
  passwd_compat: ldap
  group_compat: ldap
  netgroup: ldap
  All local and LDAP accounts can login fine if pam.conf has:
  other account requisite pam_roles.so.1
  other account binding pam_unix_account.so.1 server_policy
  other account required pam_ldap.so.1
  But no warning messages are received from the directory server for password expiration or administrative password resets.
  If I change pam.conf to have:
  other account requisite pam_roles.so.1
  other account optional pam_ldap.so.1
  other account binding pam_unix_account.so.1 server_policy
  All users can login, password expiration warnings are received, and users are notified if the admin user resets their password, but (as expected) users aren't forced to reset their password on first login or resets.
  Using "required" or "requisite" for pam_ldap in the above stack order, disables local account logins, as they are
  prompted for LDAP passwords that they don't have.
  Any combination of settings that I've tried that successfully force resets, etc. appear to disable the ability of local accounts to login - they are prompted for LDAP password, which of course fails.
  If anyone can demonstrate a combination of nsswitch.conf and pam.conf settings that will actually allow local user login, but still enforce password policies and expiration warnings, for Solaris 8 clients, it would be greatly appreciated.

  I'm still struggling to get password expiration and inactivation to work with DS 6.3.1 and Solaris 10 5/08. When accounts are expired or inactivated (nsAccountLock) users can still login via ssh. But when accounts are temporarily locked (pwdAccountLockedTime) ssh does the right thing and won't let them log in.
  Things work properly when I have
  passwd: files ldap
  in nsswitch.conf, but when I go to compatibility mode:
  passwd: compat
  passwd_compat: ldap
  ssh 'ignores' expiration and inactivation status of accounts.
  Following the advice of your last comment here (4.5 years ago!) I took away all access to the 'userPassword' attribute for the proxy account, but nothing changed (I did an 'ldapsearch' as the proxy account to ensure that the aci was working as expected and denying all access to the attribute).
  Would you, akillenb, or anyone, be so kind as to give any information that will let a Solaris 10 client work properly with the enhanced account management facilities of the Sun DSEE 6.3.1 LDAP server? Copies of pam.conf and nsswitch.conf and details on LDAP aci's would be most gratefully received!!!

• DS 6.3 ssh key and password expiration warnings

  I suspect this may be more of an ssh issue than a DS issue, but has anyone managed a configuration that will give users logging in with ssh keys, password expiration or reset warnings?
  In my setup, using compat mode in nsswitch.conf, native ldap logins work as expected for users entering their password. - That is, they are forced to change the password after an admin reset, receive "your password will expire" warnings, based on the expiration period set in DS (password policies in DS 6 mode, migrated from DS 5.2), etc.
  If a user has an ssh authorized_key entry, they can login without a password, as long as their password is not expired, or been reset by an admin. They are never shown the warning messages, but are allowed to connect, and then immediately logged off, if their password has expired, passed the number of grace logins, or been reset.
  The user can only login if they start from a different username and bypass the ssh key check.
  Hope this makes sense.

  After running various debug modes, I'm beginning to believe that the Directory Server may only issue the warning messages if a password has been typed, and validated in the directory. Since no password is enered when using an ssh key, the warnings aren't triggered.

• Forcing Password Changes

  I've got some scenarios I've been asked to research regarding expiring passwords and preventing account lockouts. We are on Windows 7.
  If a user is logged in while their password expires, is it possible to force a prompt to have them change their password before they log out.
  If a user's screen is locked while their password expires, is it possible to set a password change prompt when they attempt to unlock?
  I guess the theme is how can password changes be forced before a user can get locked out after password expiration???
  Thanks,
  Matt

  The only thing you can change is the notification about how many days it is before the password expires.
  http://technet.microsoft.com/en-us/library/ee829687(v=ws.10).aspx

• How can I display the password expiration date for a user

  I have created a GUI (using PrimalForms) which runs powershel scripts to pull information like user ID, email address, last logon ec. for the helpdesk to help establish the validity of some user claims of "it worked yesterday" and the like.
  I have been asked to add the password expiration date, but I am struggling to get the code for this addition.
  Does anyone know how I can include this, and have it in a human readable format?
  The current scripts (there are 3) allow the helpdesk staff to search on user ID and display name, the third provides the last logon, it was impossible to include this in the other scripts so I added an extra search button and called it good. An example of
  these scripts is below (please note, PrimalForms needs a slightly different syntax in order to get the results displayed, but the core script is standard PS, I use Powershell 3.0)
  $results.Text=Get-ADUser -Filter "sAMAccountName -eq '$($EntryBox.text)'" -Properties DisplayName, sAMAccountName, mail, extensionattribute5, PasswordLastSet, PasswordExpired, PasswordNeverExpires, buMemberOf, telephoneNumber, msExchOmaAdminWirelessEnable, whenCreated, whenChanged, enabled, AccountExpirationDate | select givenName, surname, DisplayName, sAMAccountName, mail, extensionattribute5, PasswordLastSet, PasswordExpired, PasswordNeverExpires, buMemberOf, telephoneNumber, msExchOmaAdminWirelessEnable, whenCreated, whenChanged, enabled, AccountExpirationDate | Out-String
  $results.Focus()
  for info:
  $results.text is the window in the GUI results are displayed  in
  $entrybox.text is the text box the helpdesk staff use to input the user ID or display name of the account they are querying
  $results.focus simply tells the script to put the results in the results.text window
  The screenshot below shows the current setup, this is purely to put the above information into perspective. Obviously some of the information displayed has been removed/redacted along with our logo.

  Hi,
  Here's an example you can build from:
  $maxPasswordAge = 120
  Get-ADUser USER -Properties PasswordLastSet |
  Select SamAccountName,
  PasswordLastSet,
  @{N='PasswordLifeRemaining';E={$maxPasswordAge - ((Get-Date) - $_.PasswordLastSet).Days}},
  @{N='PasswordExpirationDate';E={(Get-Date $_.PasswordLastSet).AddDays($maxPasswordAge)}}
  Don't retire TechNet! -
  (Don't give up yet - 13,085+ strong and growing)

• Want a solution for a scenario-To Set Password expiration in OID from OIM

  Hi,
  I have one scenario. Please guide me in some details to achieve this.
  I have one password policy in OIM. When user's password expires in OIM, then his password should also expire in OID. We have OID as user's repository.
  For this I have one solution but dont know how to implement this in OIM.
  "OID has the LDAP attribute called “pwdMaxAge” map this attribute to the OIM resource object and reset this value to number of days (as per password policy) whenever you change the password in OIM. This will set the password expiration time in the OID without having the password policy in place. "
  Plesae suggest.
  Thanks in advance.

  Well here is what you can do:
  - For OIM the user's password will be governed with the Xellerate User password policy, which says that password must be changed every 28 days. So you are good in handling this in OIM.
  Now for OID side, you have two options - *1. User changes OID password directly* and *2. User changes OID password through update in OIM profile password*. Most probably tou would want the second case. If true then here is what you can do.
  - As user changes the OIM password. Create automatic trigger Change User Password which updates the password in the process form of OID.
  - This invokes the Password Updated task.
  - On SUCCESS of this task, call another task which goes to OID target and updates the attribute pwdMaxAge to Current date + 28
  Thanks
  Sunny