Which OD attribute controls password expiration?

Similar Messages

• Password expiring notification

  Hello everybody. I'm developing a control wich warns an user logging to a web application about when his password (stored in an active directory server) is going to expire. I've found in this forum plenty of information to write this control and it's almost done but I've a doubt yet: is there an A.D. attribute wich says how many days before the password expiration the warning must be sent?
  I think no because, as far as I know, this is a kind of domain protection constrain wich is not directly related to Active Directory and I didn't find any examples or documentation about such an attribute but I can't really claim to be an expert in Active Directory architecture or Windows management then I think it's better to ask before setting an application parameter :)
  I'm accessing an Active Directory server on a Windows 2003 SP2 computer via an application developed in Java 1.5 under Tomcat 5.5.
  Thanks for any help, take care!
  Massimo Campodonico

  I'm assuming you've discovered the post titled "JNDI, Active Directory and User Account status (account expired, locked)" available at http://forum.java.sun.com/thread.jspa?threadID=716240&tstart=0 that describes account & password expiry etc.
  I think what you are tring to determine (or mimic) is the password reminder interval. Refer to the Microsoft KB article at http://support.microsoft.com/kb/135403 which describes how teh password reminder interval is determined. With Windows 2000 (and beyond), this is configured by group policy, which ultimately configures the registry setting HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\passwordexpirywarning
  Good luck.

• Exempt UME user for password expiration

  Is there a way to exempt a user from the password expiration setting? For example, passwords for all users are set to expire every 90 days, but a user id, say "monitor_user", is used in monitoring application to perform an automated logon check. Every 90 days when the password expires, the monitor fails. Is there a way to set this user's password not to expire?
  Thanks

  Glen and Giorgio,
  Let me see if I can clear things up a little bit.
  First, there is the security policy which is controlled by the UME properties. This defines password length, logon ID length, etc. These properties apply to the entire AS Java and cannot be trimmed down for individual users. How they apply to users in different data sources also varies. For example, these properties are ignored to some extent if you have an ABAP system as your user store. See the following link:
  http://help.sap.com/saphelp_nw04s/helpdata/en/7f/c52442ad9f5133e10000000a155106/frameset.htm
  Second, as of NW 04s SPS 7 a new user attribute was added, named "security policy". For individual users you can choose one of the following security policies:
  default users (user can logon, password rules apply)
  technical users (user can logon, password does not expire)
  internal service users (user cannot logon, usually do not have passwords)
  There is a fourth policy: unknown users, applies to certain users mapped from an AS ABAP.
  In SPS 7 I believe and latest in SPS 8, you have limited abilities to change the security policy of the user with identity management. You can change the policy from unknown or default to technical but not back.
  In SPS 9 and later you can change the policy from unknown or default to technical and from unknown or technical to default.
  I wonder if support misunderstood your question and thought you were referring to the first type of security policy and not the second.
  Message was edited by: Michael Shea

• Want a solution for a scenario-To Set Password expiration in OID from OIM

  Hi,
  I have one scenario. Please guide me in some details to achieve this.
  I have one password policy in OIM. When user's password expires in OIM, then his password should also expire in OID. We have OID as user's repository.
  For this I have one solution but dont know how to implement this in OIM.
  "OID has the LDAP attribute called “pwdMaxAge” map this attribute to the OIM resource object and reset this value to number of days (as per password policy) whenever you change the password in OIM. This will set the password expiration time in the OID without having the password policy in place. "
  Plesae suggest.
  Thanks in advance.

  Well here is what you can do:
  - For OIM the user's password will be governed with the Xellerate User password policy, which says that password must be changed every 28 days. So you are good in handling this in OIM.
  Now for OID side, you have two options - *1. User changes OID password directly* and *2. User changes OID password through update in OIM profile password*. Most probably tou would want the second case. If true then here is what you can do.
  - As user changes the OIM password. Create automatic trigger Change User Password which updates the password in the process form of OID.
  - This invokes the Password Updated task.
  - On SUCCESS of this task, call another task which goes to OID target and updates the attribute pwdMaxAge to Current date + 28
  Thanks
  Sunny

• Root password expired - not your typical case

  Hello everyone,
  I apologize for asking what is a very FAQ, but I am unable to find an appropriate answer anywhere on the interweb.
  The facts of my unfortunate situation are:
  1. I am a newbie in the SA world.
  2. I am even more of a newbie in the Solaris world.
  3. I am administering a Production Database system on Solaris 9.
  4. Within the last couple days the root password expired.
  5. When I attempt to login at the console as root, I receive the following message. "Roles can only be assumed by authorized users."
  It seems to me that root ought to be authorized to login to the console.
  I've read that I can boot from the CD to resolve this issue, but the system in question has the CD drive disabled. If only I could figure out how to login to the console as root, I'm sure that it would let me update the password, but I don't know how to work around the "Roles can only be assumed by authorized users" issue.
  Please help!
  Thanks in advance for your assistance. It is greatly appreciated.

  Well, I've learned an awful lot in the process of trying to resolve this issue. I'm still not there, but I'm getting close.
  I have done a ton of research on the net, and I am unable to find any specific detailed instructions on how to fix the root password expired issue. So, I figured I would paraphrase what I believe are the detailed steps to be taken. If you see an error in my logic, or my syntax please let me know, as I will be beginning this process soon.
  So, we have RBAC or Role Based Access Control on the Solaris 9 box, and the root password has expired. This is a pretty annoying situation to be in, but it can be fixed easily enough.
  First, we'll want to gracefully shutdown all the processes which are currently running on the system. This is accomplished by executing the following command which will put the system into single user mode:
  init -1
  Determine where your root file system (e.g. c1t0d0s0) is located by typing the following command (you'll want to make note of the result):
  /etc/vfstab
  Next, we need to access the EEPROM. Before doing this, you should do execute the following command to see if your EEPROM is password protected.
  eeprom |grep security
  Look for the line that reads "security-mode=" If security mode is set to "none" or "none-secure" you're golden, proceed with the next step. If security mode is set to "command" "command-secure" "fully" or "fully-secure" you want to make sure you have your EEPROM password, otherwise you'll be in worse shape than when you started.
  Assuming that you either have the EEPROM password, OR the system is set to "security-mode=none" you can proceed to the EEPROM prompt by pressing the following key combination:
  Stop + A
  You should now have an OK> prompt. Insert the Solaris 9 Installation CD into the CDRom drive. At the prompt type the following command to boot from your CD rom:
  boot cdrom -sw
  Once the boot sequence is complete, execute the following command to mount your root filesystem.
  mount /dev/dsk/<root filesystem device file> /mnt
  Once you have mounted the root file system, you will need to change the /etc/user_attr file to allow console access by root. Open /etc/user_attr with your editor of choice. On the line beginning with root::::type=role; etc etc change the setting type=role to type=normal and save the user_attr file.
  Enter the following command to go back to the OK prompt:
  halt
  Then enter boot -s to reboot your system. You should now be able to login to the console with root, which will allow you to update your password. Once you have done so, do an init -3 to bring the user back up to the standard mode of operation.
  Thanks again Jeffery for your help in this matter. I hope to have this situation resolved soon, but I want to make sure that all my ducks are in a row before I start playing Russian Roulette with my server. Does the above walkthrough sound accurate? Is there anything that I have misuderstood or overlooked?

• Portal Users Passwords expiring

  In 9.02 it seems my portal users passwords seem to expire for no reason. When it happens, I have to go in and manually re-set their passwords. Is this a bug or is there some place to control this.

  Set the number of seconds before password expiration that the directory server
  sends the user a warning. By default the "Password Expiration Warning"
  parameter is set to 0, which disables the expiration warning.
  Also if the users need to be able to login after the password expiration set
  the "Number of Grace Logins after Password Expiration" parameter to a
  number greater than 0.
  Change these parameters in the following manner:
  1. Start the Oracle Directory Manager from the home of the iAS Infrastructure
  2. Login as the OID administrator, i.e. orcladmin
  3. Click on the + on the left of Password Policy Management
  4. Click on your password policy to change the settings on the right pane
  5. Set the Password Expiration Warning in seconds i.e. 259200 for 3 days.
  6. Set the Number of Grace Logins after Password Expiration to a greater than 0
  value i.e. 1. This will add a last opportunity for the user after his/her
  password expired.

• Password expiration notification workflow

  I need to create a workflow which will send emails to users who's password is about to expire. For reasons I don't want to get into here, I don't want to use a defered task.
  I know there's got to be a way of grabbing a list of users along the lines of
  select all users with waveset.passwordExpiry >= date1 and <= date2
  Can anyone point me in the right direction?

  I need to create a workflow which will send emails to
  users who's password is about to expire. For reasons
  I don't want to get into here, I don't want to use a
  defered task.
  I know there's got to be a way of grabbing a list of
  users along the lines of
  select all users with waveset.passwordExpiry >= date1
  and <= date2
  Can anyone point me in the right direction?Did you happen to get a solution to this? I am trying both query options and to list users with a password expiration date - but to no avail
  <Rule name='GetUsersWithPasswordExpirationDate'>
      <RuleArgument name="aDate"/>
          <block>
                      <block>
                          <defvar name='queryOptions'>
                              <new class='com.waveset.object.QueryOptions'/>
                          </defvar>
                          <invoke name='addCondition'>
                              <ref>queryOptions</ref>
                              <s>passwordExpiry</s>
                              <ref>aDate</ref>
                          </invoke>
                          <invoke name='toList'>
                              <invoke name='getObjects'>
                                  <invoke name='getLighthouseContext'>
                                  <ref>WF_CONTEXT</ref>
                              </invoke>
                              <invoke class='com.waveset.object.Type' name='findType'>
                                  <s>User</s>
                              </invoke>
                              <invoke name='toMap'>
                                  <ref>queryOptions</ref>
                              </invoke>
                          </invoke>
                      </invoke>
                  </block>
      </block>
  </Rule>
  <Rule name="GetUsersWithPasswordExpirationDate">
      <RuleArgument name="aDate"/>
      <expression>
          <block trace='true'>
              <cond>
                  <ref>aDate</ref>
                  <invoke name='toList'>
                      <invoke name='listObjects'>
                          <invoke name='getLighthouseContext'>
                              <ref>WF_CONTEXT</ref>
                          </invoke>
                          <s>User</s>
                          <map>
                              <s>attributes</s>
                              <map>
                                  <s>passwordExpiry</s>
                                  <ref>aDate</ref>
                              </map>
                              <s>nameOnly</s>
                              <Boolean>true</Boolean>
                          </map>
                      </invoke>
                      <s>name</s>
                  </invoke>
              </cond>
          </block>
      </expression>
  </Rule>

• Password expiration mail and schedule tasks

  Dear Experts,
  To best of my observation OIM has OOTB feature to send mail on password expiry.
  Kindly suggest how do I find
  Query1 – how many days password get expired?
  Query2 – Which mail will be send to user when password expires?
  Query3 – Which schedule task does this?
  OIM version is 9.1.0.2.
  Kindly suggest.
  Thanks,
  S M

  In OIM 10g the schedule task name is Password Expiration Task. This task sends e-mail to users whose password expiration date has passed at the time when the task runs. It is determined by the USR table field USR_PWD_EXPIRE_DATE. The email template name is given as one of the attributes to this schedule task. That particular email is sent. The name of the email definition is "Password Expired". After that it updates the USR_PWD_EXPIRED flag on the user profile.
  Edited by: Durgaprasad on Apr 9, 2013 11:15 PM

• DS 6.2 and password expiration

  Hello,
  I'm having problems enforcing password expiration with DSEE. We have two Solaris 10 DSEE 6.2 servers configured with multi-master replication. The clients are running Solaris 8 (117350-47 Jun 2007 kernel patch level), and are using pam_ldap authentication.
  Using either telnet (just as a test) or ssh to login, I don't receive warnings of password expiration, nor is the account locked after passwordExpirationTime is exceeded.
  As an example, I can still authenticate as a user with this passwordExpirationTime:
  passwordExpirationTime=20071123163438Z
  The following is our DSEE password policy:
  pwd-accept-hashed-pwd-enabled : off
  pwd-check-enabled : on
  pwd-compat-mode : DS6-mode
  pwd-expire-no-warning-enabled : on
  pwd-expire-warning-delay : 4w
  pwd-failure-count-interval : 10m
  pwd-grace-login-limit : disabled
  pwd-keep-last-auth-time-enabled : on
  pwd-lockout-duration : disabled
  pwd-lockout-enabled : on
  pwd-lockout-repl-priority-enabled : on
  pwd-max-age : 12w6d
  pwd-max-failure-count : 4
  pwd-max-history-count : 3
  pwd-min-age : 1w
  pwd-min-length : 6
  pwd-mod-gen-length : 6
  pwd-must-change-enabled : off
  pwd-root-dn-bypass-enabled : off
  pwd-safe-modify-enabled : off
  pwd-storage-scheme : SSHA
  pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
  pwd-strong-check-enabled : on
  pwd-strong-check-require-charset : any-three
  pwd-supported-storage-scheme : CRYPT
  pwd-supported-storage-scheme : SHA
  pwd-supported-storage-scheme : SSHA
  pwd-supported-storage-scheme : NS-MTA-MD5
  pwd-supported-storage-scheme : CLEAR
  pwd-user-change-enabled : on
  Am I missing something obvious in the DSEE password policy? Would any other information be helpful in troubleshooting, such as /etc/pam.conf, patch levels of other packages, etc.?
  Thanks!

  If your DS6 instance is in DS5-compatible-mode (see above references), passwordExpirationTime is not ignored; however, please note that modifying server operational attributes via protocol has never been supported.
  A supported way to force a user to change his or her password (without administratively resetting the password) would be to define a specialized password policy with a small max-age value (but maintaining the relationship pwdMinAge+pwdExpireWarning<pwdMaxAge), and use Roles/CoS to scope the policy to the user entry that requires a password change, but for which the password has not yet been changed. A value of pwdChangedTime in the past (or its absence from the entry) would indicate that the password had not yet been changed as requested. If the DS6 instance is in DS5-compatible-mode, you will need to enable grace logins via passwordWarning in the policy, while if the DS6 instance is in DS6-migration-mode or DS6-mode, you will also need to enable grace logins via pwdGraceAuthNLimit in the policy. Otherwise, the user cannot bind with an expired password.
  OpenDS includes a "must-change-by" feature in the password policy that simplifies configuring the specialized password policy, but I'm not aware of any plans to add this feature to DS6.

• DS 6.3 password expiration oddities

  I have been exploring an upgrade from DS5.2 to DS 6.3 to take advantage of the enhanced password policies and password expiration that have never worked quite right in DS5.2.
  The previous 5.2 and migrated 6.3 environments both use netgroups to restrict logins to specific systems.
  This generally works very well, although I'm seeing weirdness for local system accounts.
  I've explored the forums, tweaked pam.conf and nsswitch.conf in pretty much every way that's been suggested.
  DS 6.3 is setup on Solaris 10, and my client systems are Solaris 8, with all of the latest necessary patches applied.
  nsswitch has:
  passwd: compat
  group: compat
  passwd_compat: ldap
  group_compat: ldap
  netgroup: ldap
  All local and LDAP accounts can login fine if pam.conf has:
  other account requisite pam_roles.so.1
  other account binding pam_unix_account.so.1 server_policy
  other account required pam_ldap.so.1
  But no warning messages are received from the directory server for password expiration or administrative password resets.
  If I change pam.conf to have:
  other account requisite pam_roles.so.1
  other account optional pam_ldap.so.1
  other account binding pam_unix_account.so.1 server_policy
  All users can login, password expiration warnings are received, and users are notified if the admin user resets their password, but (as expected) users aren't forced to reset their password on first login or resets.
  Using "required" or "requisite" for pam_ldap in the above stack order, disables local account logins, as they are
  prompted for LDAP passwords that they don't have.
  Any combination of settings that I've tried that successfully force resets, etc. appear to disable the ability of local accounts to login - they are prompted for LDAP password, which of course fails.
  If anyone can demonstrate a combination of nsswitch.conf and pam.conf settings that will actually allow local user login, but still enforce password policies and expiration warnings, for Solaris 8 clients, it would be greatly appreciated.

  I'm still struggling to get password expiration and inactivation to work with DS 6.3.1 and Solaris 10 5/08. When accounts are expired or inactivated (nsAccountLock) users can still login via ssh. But when accounts are temporarily locked (pwdAccountLockedTime) ssh does the right thing and won't let them log in.
  Things work properly when I have
  passwd: files ldap
  in nsswitch.conf, but when I go to compatibility mode:
  passwd: compat
  passwd_compat: ldap
  ssh 'ignores' expiration and inactivation status of accounts.
  Following the advice of your last comment here (4.5 years ago!) I took away all access to the 'userPassword' attribute for the proxy account, but nothing changed (I did an 'ldapsearch' as the proxy account to ensure that the aci was working as expected and denying all access to the attribute).
  Would you, akillenb, or anyone, be so kind as to give any information that will let a Solaris 10 client work properly with the enhanced account management facilities of the Sun DSEE 6.3.1 LDAP server? Copies of pam.conf and nsswitch.conf and details on LDAP aci's would be most gratefully received!!!

• How can I display the password expiration date for a user

  I have created a GUI (using PrimalForms) which runs powershel scripts to pull information like user ID, email address, last logon ec. for the helpdesk to help establish the validity of some user claims of "it worked yesterday" and the like.
  I have been asked to add the password expiration date, but I am struggling to get the code for this addition.
  Does anyone know how I can include this, and have it in a human readable format?
  The current scripts (there are 3) allow the helpdesk staff to search on user ID and display name, the third provides the last logon, it was impossible to include this in the other scripts so I added an extra search button and called it good. An example of
  these scripts is below (please note, PrimalForms needs a slightly different syntax in order to get the results displayed, but the core script is standard PS, I use Powershell 3.0)
  $results.Text=Get-ADUser -Filter "sAMAccountName -eq '$($EntryBox.text)'" -Properties DisplayName, sAMAccountName, mail, extensionattribute5, PasswordLastSet, PasswordExpired, PasswordNeverExpires, buMemberOf, telephoneNumber, msExchOmaAdminWirelessEnable, whenCreated, whenChanged, enabled, AccountExpirationDate | select givenName, surname, DisplayName, sAMAccountName, mail, extensionattribute5, PasswordLastSet, PasswordExpired, PasswordNeverExpires, buMemberOf, telephoneNumber, msExchOmaAdminWirelessEnable, whenCreated, whenChanged, enabled, AccountExpirationDate | Out-String
  $results.Focus()
  for info:
  $results.text is the window in the GUI results are displayed  in
  $entrybox.text is the text box the helpdesk staff use to input the user ID or display name of the account they are querying
  $results.focus simply tells the script to put the results in the results.text window
  The screenshot below shows the current setup, this is purely to put the above information into perspective. Obviously some of the information displayed has been removed/redacted along with our logo.

  Hi,
  Here's an example you can build from:
  $maxPasswordAge = 120
  Get-ADUser USER -Properties PasswordLastSet |
  Select SamAccountName,
  PasswordLastSet,
  @{N='PasswordLifeRemaining';E={$maxPasswordAge - ((Get-Date) - $_.PasswordLastSet).Days}},
  @{N='PasswordExpirationDate';E={(Get-Date $_.PasswordLastSet).AddDays($maxPasswordAge)}}
  Don't retire TechNet! -
  (Don't give up yet - 13,085+ strong and growing)

• Password Expire agrument while creating a new user

  When I create a user using the script:
  create user xxxx identified by yyy
  default tablespace -----
  temporary tablespace ----
  quota ---
  password expire;
  When the user logons for the first time, oracle throws a
  ORA-00988 error:
  missing or invalid password...
  My question is?
  On a UNIX system (I'm running on Window 2000 Professional)
  do you get the same error? Is this a misleading error message?
  Has anyone else seen this error message?
  Thank you in advance
  Mike Parish
  Toronto, Canada

  I found the answer:
  You must loging in sql/plus and typing alter user OWBSYS identified by password. The password depend on you, which name you will to them.
  Mehdi

• Capturing the Message on the Login Page (Invalid user/password expired etc.

  Hi, I have a requirment for capturing the error message on the Login page if the User's Account is expired or Account is Disabled or Invalid credentials, Password Lockout etc.
  I am using the attached login page. Can any one please help me out on this.
  <html><head><title>AARPLogin Page</title>
  <script type="text/javascript" language="JavaScript" xml:space="preserve">
  // This function automatically gets called for broswer detection
  var isNav4 = false;
  var isIE4 = false;
  var isNS6 = false;
  function obDetectBrowser()
  if ( navigator.appVersion.charAt( 0 ) == "4" )
  if ( navigator.appName == "Netscape" )
  isNav4 = true;
  } else {
  isIE4 = true;
  else
  if ( navigator.appVersion.charAt( 0 ) >= 5 )
  if ( navigator.appName == "Netscape" )
  isNS6 = true;
  obDetectBrowser ();
  var HOSTNAME =
  var COOKIE_OBREQUESTEDURL = "OBREQUESTEDURL";
  var COOKIE_OBFORMLOGINCOOKIE = "ObFormLoginCookie";
  var NCID_LANDING_PAGE_URL = "/landing/";
  var QS_REDIR = "ReDir";
  var keyChooser;
  function checkPasswordEnterKey( event )
  var form = document.forms[0];
  if (isNav4 || isNS6) {
  keyChooser = event.which ;
  } else if (isIE4) {
  keyChooser = window.event.keyCode;
  if (keyChooser == 13) {
  if (
  form.userid.value
  && form.userid.value != ""
  && form.password
  && form.password.value != ""
  form.submit();
  return true;
  else
  alert('Please enter a UserId and Password');
  return false;
  function showHidePanel( panelID, displayValue )
  var panelElement = document.getElementById( panelID );
  if ( displayValue == 'show' )
  panelElement.style.display = 'block';
  else
  panelElement.style.display = 'none';
  function getQueryVariable( variable )
  var query = window.location.search.substring( 1 );
  var vars = query.split( "&" );
  for ( var i=0; i < vars.length; i++)
  var pair = vars[ i ].split( "=" );
  if ( pair[ 0 ] == variable )
  return unescape( pair[ 1 ] );
  return "";
  function Get_Cookie( name )
  var nameEQ = name + "=";
  var ca = document.cookie.split( ';' );
  for( var i=0; i < ca.length; i++ )
  var c = ca[ i ];
  while ( c.charAt( 0 )==' ' )
  c = c.substring( 1, c.length );
  if ( c.indexOf( nameEQ ) == 0 )
  return c.substring( nameEQ.length, c.length );
  return null;
  function Set_Cookie( name, value, expires, path, domain, secure)
  document.cookie = name + "=" + escape( value ) +
  ( ( expires ) ? ";expires=" + expires.toGMTString() : "" ) +
  ( ( path ) ? ";path=" + path : "" ) +
  ( ( domain ) ? ";domain=" + domain : "" ) +
  ( ( secure ) ? ";secure" : "" );
  function Delete_Cookie( name, path, domain )
  if ( Get_Cookie( name ) )
  document.cookie = name + "=" +
  ( (path) ? ";path=" + path : "" ) +
  ( (domain) ? ";domain=" + domain : "" ) +
  ";expires=Thu, 01-Jan-1970 00:00:01 GMT";
  function lostPassword()
  var CurrentLogin = document.forms[0].userid.value;
  if ( CurrentLogin == "" ) {
  alert ( "Please enter your eMail Address." );
  document.forms[0].userid.focus();
  else {
  Set_Cookie( COOKIE_OBFORMLOGINCOOKIE, "done", 0, "/" );
  var LOST_PWD_PAGE = "/identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?program=passwordChallengeResponse&login="+CurrentLogin+"&backUrl=http://oradev2.na.aarp.int/login/login.html&target=top";
  window.location = LOST_PWD_PAGE;
  function emailPassword()
  document.passform.submit();
  function onLoad()
  if (getQueryVariable( "MSG" ) == 'LOGIN_FAILED' )
  alert ("Login Failed, Please try again");
  else if (getQueryVariable( "MSG" ) == 'PWD_EXP' )
  alert ("Your Password Is About to Expire. Please Change it at your earliest convenience.");
  var pwdExpUID = getQueryVariable( "login" );
  var hostTarget = getQueryVariable( "hostTarget" );
  var resURL = getQueryVariable( "resURL" );
  var PWD_EXP_PAGE = "/identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?program=redirectforchangepwd&login="+pwdExpUID+"&backURL="+hostTarget+resURL+"&target=top";
  window.location = PWD_EXP_PAGE;
  else if (getQueryVariable( "MSG" ) == 'CHGPWD' )
  alert ("You are required to change your password.");
  var chgPwdUID = getQueryVariable( "login" );
  var hostTarget = getQueryVariable( "hostTarget" );
  var resURL = getQueryVariable( "resURL" );
  var CHG_PWD_PAGE = "http://"+HOSTNAME+"/identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?program=redirectforchangepwd&login="+chgPwdUID+"&backURL="+hostTarget+resURL+"&target=top";
  window.location = CHG_PWD_PAGE;
  </script></head><body onload="onLoad();document.login.userid.focus();" alink="blue" bgcolor="#ffffff" link="blue" vlink="blue">
  <p align="center">
  <img alt="AARP Header Logo" src="login_files/aarpLogo.gif" border="0" height="91" width="219">
  <br>
  </p><form name="login" method="post" action="/access/oblix/apps/webgate/bin/webgate.so">
  <div class="boldText" align="center">
  <h2>Login</h2>
  <div class="boldText" align="left">
  <div id="LoginFailed" style="display: none;">
  <table align="center" bgcolor="#ff0000" border="0" cellpadding="2" cellspacing="0" width="500">
  <tbody><tr>
  <td>
  <table bgcolor="#e5e5e5" border="0" cellpadding="5" cellspacing="0" width="100%">
  <tbody><tr bgcolor="#ffffff">
  <td rowspan="3" height="40" nowrap="nowrap" valign="top">
  <img src="login_files/error.gif" name="error" height="20" width="20">
  </td>
  <td rowspan="3" align="center">
  <p>
  <font color="#ff0000" size="-1">
  <b>
  <div id="TryAgain" style="display: none;">Login Failed! Invalid UserID and/or Password, Please try again.<br></div>
  <div id="AccountLocked" style="display: none;">Your Account has been Locked!</div>
  </b>
  </font>
  </p>
  <p>
  <font color="#ff0000">
  <b>For
  assistance call E-Services Help Line at (XXX) XXX-XXXX Monday through
  Friday between the hours of 8:00 am and 5:00 pm eastern standard time.</b>
  </font>
  </p>
  </td>
  </tr>
  <tr bgcolor="#ffffff">
  </tr><tr bgcolor="#e5e5e5">
  </tr></tbody></table>
  </td>
  </tr>
  </tbody></table>
  </div>
  <br>
  </div>
  <table border="0" cellpadding="0" cellspacing="0" width="500">
  <tbody><tr>
  <td background="login_files/border_upper_left.gif" height="20" nowrap="nowrap" width="20"> </td>
  <td background="login_files/border_top.gif" height="20" nowrap="nowrap"> </td>
  <td background="login_files/border_upper_right.gif" height="20" nowrap="nowrap" width="20"> </td>
  </tr>
  <tr>
  <td background="login_files/border_left.gif" nowrap="nowrap" width="20"> </td>
  <td>
  <table bgcolor="#ebebce" border="0" cellpadding="2" cellspacing="0" height="100%" width="100%">
  <tbody><tr>
  <td colspan="3" align="center">
  <font color="darkred" face="Arial" size="3">
  <b>
  </b></font>
  <b> </b></td>
  </tr>
  <tr valign="bottom">
  <td colspan="3" width="100%">
  <table bgcolor="#ebebce" border="0" cellpadding="5" cellspacing="0" width="100%">
  <tbody><tr bgcolor="#e5e5e5">
  <td rowspan="2" bgcolor="#ebebce" height="20" nowrap="nowrap" valign="top" width="4%">
  <font color="#000000">
  <span class="text">
  <img src="login_files/arrow.gif" align="top" height="20" width="20">
  </span>
  </font>
  <font color="#000000"> </font>
  </td>
  <td rowspan="2" bgcolor="#ebebce" width="96%">
  <font color="#000000" size="-1">
  <span class="text">Please enter your Email and Password. If you are a new user to AARP, please select First Time AARP User.
  </span>
  </font>
  </td>
  </tr>
  <tr bgcolor="#e5e5e5">
  </tr></tbody></table>
  </td>
  </tr>
  <tr valign="bottom">
  <td colspan="3">
  <table align="center" border="0" width="349">
  <tbody><tr>
  <td nowrap="nowrap" width="74">
  <font color="#000000" size="-1">
  <div align="left">eMail:</div>
  </font>
  </td>
  <td width="265">
  <input name="userid" value="" size="32" maxlength="32" tabindex="2" type="text">
  </td>
  </tr>
  <tr>
  <td>
  <font color="#000000" size="-1">
  <div align="left">Password:</div>
  </font>
  </td>
  <td>
  <p>
  <font color="#000000" size="-1">
  <input name="password" size="32" maxlength="32" length="30" tabindex="3" type="password">
  </font>
  </p>
  </td>
  </tr>
  </tbody></table>
  </td>
  </tr>
  <tr>
  <td>
  <font color="#000000" size="-1">
  <p align="center"><b>Forgot Your Password?</b></p>
  </font>
  </td></tr>
  <tr>
  <td align="center"> <font color="#000000" size="-1"><!--
  Reset Password      
  -->
  Email New Password
  </font>
  </td></tr>
  <tr>
  <td colspan="4">
  <div class="boldText" align="center">
  <br>
  <input src="login_files/button_login.gif" name="Submit" value="" alt="login" type="image">
  <!--
  <b class="boldText"><img src="../images/button_login.gif" width="68" height="25" name="img_login" border="0" alt="login"/></b>
  --> <b class="boldText"><img src="login_files/button_clear.gif" name="img_clear" alt="clear" border="0" height="25" width="68"></b>
  <b class="boldText"><img src="login_files/button_help.gif" name="img_help" alt="help" border="0" height="25" width="68"></b>
  <b class="boldText"><img src="login_files/button_cancel.gif" name="img_cancel" alt="cancel" border="0" height="25" width="68"></b>
  </div>
  </td>
  </tr>
  </tbody></table>
  </td>
  <td background="login_files/border_right.gif" nowrap="nowrap" width="20"> </td>
  </tr>
  <tr>
  <td background="login_files/border_lower_left.gif" height="20" nowrap="nowrap" width="20"> </td>
  <td background="login_files/border_bottom.gif" height="20" nowrap="nowrap"> </td>
  <td background="login_files/border_lower_right.gif" height="20" nowrap="nowrap" width="20"> </td>
  </tr>
  </tbody></table>
  <p></p>
  <span class="text"><br><br><b>NOTICE:
  This system is the property of AARP and is for authorized use only.
  Unauthorized access is a violation of federal and state law. All
  software, data transactions, and electronic communications are subject
  to monitoring.</b></span>
  <div id="hr" style="position: absolute; width: 100%; height: 10px; z-index: 90; top: 657px; left: 10px;">
  <hr>
  </div>
  <div id="footer" style="position: absolute; width: 700px; height: 55px; z-index: 115; top: 678px; left: 50px;">
  <span class="subhead">
  Privacy Policy
  Disclaimer
  Contact Us
  </span>
  <span class="bodytext">
  </span></div>
  <form name="passform" action="http://oradev2.na.aarp.int/wampassword/passwordReset.html" method="post">
  <input name="login" value="" type="hidden">
  <input name="backUrl" value="http://oradev2.na.aarp.int/login/login.html" type="hidden">
  </form>
  <script type="text/javascript" language="JavaScript" xml:space="preserve">
  var undefined;
  if (
  document.login
  && document.login.password
  function clearForm()
  document.login.reset();
  function navigate( linkName )
  if ( 'login' == linkName )
  if ( document.accountLogin.userID.value != '' && document.login.password.value != '' )
  alert('Please click the Account Registration Setup link for now');
  //document.location = 'userDataPersonal.htm';
  else
  alert('Please enter a UserId and Password');
  function openHelp()
  helpDoc = window.open( "http://www.aarp.org", "", "scrollbars=yes,resizable=yes,width=500,height=300" );
  function cancel()
  // open dialog
  var initX = parseInt( window.screenX ) + parseInt( window.outerWidth ) / 2 - 100;
  var initY = parseInt( window.screenY ) + parseInt( window.outerHeight ) / 2 - 50;
  cancelDialog = window.open( "./cancelDialog.html", " cancelDialog", "resizable=yes,toolbar=no,menubar=no,width=200,height=150,screenX=" + initX +",screenY=" + initY );
  </script>
  </div></form></body>
  <script type="text/javascript">
  <!--
  function __RP_Callback_Helper(str, strCallbackEvent, splitSize, func){var event = null;if (strCallbackEvent){event = document.createEvent('Events');event.initEvent(strCallbackEvent, true, true);}if (str && str.length > 0){var splitList = str.split('|');var strCompare = str;if (splitList.length == splitSize)strCompare = splitList[splitSize-1];var pluginList = document.plugins;for (var count = 0; count < pluginList.length; count++){var sSrc = '';if (pluginList[count] && pluginList[count].src)sSrc = pluginList[count].src;if (strCompare.length >= sSrc.length){if (strCompare.indexOf(sSrc) != -1){func(str, count, pluginList, splitList);break;}}}}if (strCallbackEvent)document.body.dispatchEvent(event);}function __RP_Coord_Callback(str){var func = function(str, index, pluginList, splitList){pluginList[index].__RP_Coord_Callback = str;pluginList[index].__RP_Coord_Callback_Left = splitList[0];pluginList[index].__RP_Coord_Callback_Top = splitList[1];pluginList[index].__RP_Coord_Callback_Right = splitList[2];pluginList[index].__RP_Coord_Callback_Bottom = splitList[3];};__RP_Callback_Helper(str, 'rp-js-coord-callback', 5, func);}function __RP_Url_Callback(str){var func = function(str, index, pluginList, splitList){pluginList[index].__RP_Url_Callback = str;pluginList[index].__RP_Url_Callback_Vid = splitList[0];pluginList[index].__RP_Url_Callback_Parent = splitList[1];};__RP_Callback_Helper(str, 'rp-js-url-callback', 3, func);}function __RP_TotalBytes_Callback(str){var func = function(str, index, pluginList, splitList){pluginList[index].__RP_TotalBytes_Callback = str;pluginList[index].__RP_TotalBytes_Callback_Bytes = splitList[0];};__RP_Callback_Helper(str, null, 2, func);}function __RP_Connection_Callback(str){var func = function(str, index, pluginList, splitList){pluginList[index].__RP_Connection_Callback = str;pluginList[index].__RP_Connection_Callback_Url = splitList[0];};__RP_Callback_Helper(str, null, 2, func);}
  //--></script></html>

  Is it not possible that someone fired the password expiration cmd ?
  SQL> select limit
    2  from   dba_profiles
    3  where  profile='DEFAULT'
    4  and resource_name='PASSWORD_LIFE_TIME';
  LIMIT
  UNLIMITED
  SQL> select profile from dba_users where username='MYUSER';
  PROFILE
  DEFAULT
  SQL> conn myuser/myuser
  Connected.
  SQL> conn / as sysdba
  Connected.
  SQL> alter user myuser password expire;
  User altered.
  SQL> conn myuser/myuser
  ERROR:
  ORA-28001: the password has expired
  Changing password for myuser
  New password:
  Password unchanged
  Warning: You are no longer connected to ORACLE.
  SQL> conn / as sysdba
  Connected.
  SQL> select name, astatus, TO_CHAR(ctime,'DD-MM-YYYY HH:MI') CTIME, TO_CHAR(ptime,'DD-MM-YYYY HH:MI') PTIME, TO_CHAR(EXPTIME,'DD-MM-YYYY HH:MI') EXPIRE
    2  from sys.user$ where name ='MYUSER';
  NAME
     ASTATUS CTIME
  PTIME
  EXPIRE
  MYUSER
           1 23-11-2011 11:15
  23-11-2011 11:15
  23-11-2011 11:17
  SQL>Nicolas.

• Password expire date back to 2011 from 2012  after assigned  a user profile

  Friends,
  I created a profile test as
  COMPOSITE_LIMIT UNLIMITED
  SESSIONS_PER_USER UNLIMITED
  CPU_PER_SESSION UNLIMITED
  CPU_PER_CALL UNLIMITED
  LOGICAL_READS_PER_SESSION UNLIMITED
  LOGICAL_READS_PER_CALL UNLIMITED
  IDLE_TIME 60
  CONNECT_TIME UNLIMITED
  PRIVATE_SGA UNLIMITED
  FAILED_LOGIN_ATTEMPTS 5
  PASSWORD_LIFE_TIME 120
  PASSWORD_REUSE_TIME           60
  PASSWORD_REUSE_MAX           30
  PASSWORD_VERIFY_FUNCTION NULL
  PASSWORD_LOCK_TIME 1
  PASSWORD_GRACE_TIME 7;
  the user default profile default PASSWORD_LIFE_TIME is 180 and password expired date is 1/7/2012. the test account was created in 7/11/2011.
  Now I assign test user to test profile successfully.
  However. expire date becomes 11/8/2011 1 from 1/7/2012 by select dba_users
  which wrong is in my profile or somewhere?
  As I think, the account password expired should be start after assigned new profile with PASSWORD_LIFE_TIME. but is seems expire date is start from original account created date.
  Thanks
  newdba
  Edited by: Oradb on May 24, 2012 1:56 PM

  I would think the expire time would be based on the last password change time which Oracle stores in the rdbms base table for user information (user$). Find a second user, alter the password, check the expire date, then assign the user to the new profile, re-check the expiration date. Post back. Behavior may vary between releases so include full Oracle version of test.
  HTH -- Mark D Powell --

• "user password expiration" for every 30 days for the NW2004S systems

  Dear all,
  We are using NW2004s with BI and DI,EP. We set the parameter "user password expiration" for every 30 days for the NW2004S systems(dual stack).
  In  the system  users SAPJSF,NWDI_CMSADM,J2EE_ADMIN,NWDI_ADM, ADMINITRATOR is also getting change once in every month(30 days),So that we need to change the password and it should get update in the visual admin and config tools. Some time this arising problem. Is there any way to avoid the password expire for this particular user in the system .
  Note :Password expire parameter should keep compulsory  in the system
  So Please guide us to resolve those problem.
  Thanks in advance
  Regards
  Lakshminarayanan M

  Hi!
  I don't suggest you to change J2EE_ADMIN password. instead you should logon with your user.
  Anyway.... please find below a small program to control passwords validity. for some users is very usefull.
  REPORT  ZS_ALTERA_DATA_PASS                     .
  tables:usr02.
  select-options : s_users for usr02-bname.
  parameter:       p_data  like usr02-bcda1 default sy-datum.
  update usr02 set bcda1 = p_data
               where bname in s_users.
  if sy-subrc eq 0.
  MESSAGE 'Password validity changed' type 'S'.
  else.
  MESSAGE 'ERROR changing password validity' type 'E'.
  endif.
  cheers