-
Title
How to receive password expiry notification message on Unix and Windows. -
Description
Where is the password expiry message for the AD password being generated?
-
Resolution
The password expiry warning is set in two different places. It defaults to 14 days both in AD and in QAS, but there is a setting in AD Group Policy (Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Prompt user to change password) where this can be changed for Windows logon, and an option in vas.conf (pw-expiration-warning-window) where it can be changed on the Unix side. If these two values are not the same, there will be different expiry warning start dates depending on which system is being logged in to. It is the same password of course, so it will expire at the same time from the point of view of all systems, Windows or Unix, no matter what the warnings are set to be.
You can set it by running the following command on a linux client:/opt/quest/bin/vastool configure vas pam_vas pw-expiration-warning-window 14
Here is some information about the setting:
pw-expiration-warning-window =Default value: 14By default, if a user's password is set to expire within 14 days pam_vas will generate a warning message upon login to notify the user that they should change their password before it expires. This 14-day default can be changed by modifying this option to the number of days before the password expires that the user should begin to get warning messages.
For example, to reduce this to 4 days, do the following:
[pam_vas]pw-expiration-warning-window = 4Note that you can completely disable password expiration warnings for individual PAM services with the no_pw_expiration_warning option for the pam_vas auth options. Setting this value to 0 will also globally disable the password expiration warning for pam_vas.
Setting pw-expiration-warning-window = 0 will disable password expiration warnings totally on the Unix client. This would have no effect on the Windows password expiration warning. To disable the password expiration warning on all AD account when logging into QAS client, run the following command as root: /opt/quest/bin/vastool configure vas pam_vas pw-expiration-warning-window 0
Then reboot the server. You cannot currently disable the password warning per account. When password expiration is within pw-expiration-warning-window, user is required to "Press Enter to Continue." There is an Enhancement Request entered for the ability to ignore the "pw-expiration-warning-window" prompt for specific accounts:
ER ID 802873 - Ability to ignore "pw-expiration-warning-window" prompt for specific accounts
Another workaround is to set the password never expires on an account that you do not want to have the password expiry warning to appear.
-
Change Request
802873