Top Secret

Trying to connect with anyone that has worked through a reduction in system settings for PWEXP and INACTIVE.  We are looking to reduce from current 90 day value down to 30 day.  Can anyone confirm that updates to the system settings only apply to new accounts added to system and that all existing user accounts with the 90 PWEXP value will have to be updated independently? 
The information I've been given indicates that in addition to updating the system settings of PWEXP and INACTIVE,  all existing user accounts with expire value will require update using command of: TSS ADD(ACID) PASSWORD(*,30). 

Also looking to confirm that if we set the PWEXP (30) and INACTIVE(30,LASTUSED) this will ensure that accounts created but never logged into will also be set PSUSPEND  after 30 days of creation.  

Trying to prevent any gotchas so appreciate any and all feedback.  

Definite impact to production.  We changed our INACTIVE option to 30,LASTUSED last year.  It impacted all users and our service desk because Top Secret would expire the ACID after 30 days from last used date and would not allow the user to log on after 30 days to change the password, so the user would have to call the service desk and have their password changed.

The PWEXP by default is 30 days but the setting will work and you should be able to change that without any impact.  If you have a dev environment suggest testing the creation of an ACID using PASS(XXXXXX,EXP) and use the List command DATA(PASS) and see what the password expiration interval is.  Also, use TSS REPLACE(ACID) PASSWORD(*,30)  command instead of ADD.  

These are just my thoughts.  If anyone else has any comments please feel free.
Original Message:
Sent: 03-31-2020 11:37 AM
From: Cynthia McKinnon
Subject: Decreasing PWEXP and INACTIVE controls / seeking lessons learned

Trying to connect with anyone that has worked through a reduction in system settings for PWEXP and INACTIVE.  We are looking to reduce from current 90 day value down to 30 day.  Can anyone confirm that updates to the system settings only apply to new accounts added to system and that all existing user accounts with the 90 PWEXP value will have to be updated independently? 
The information I've been given indicates that in addition to updating the system settings of PWEXP and INACTIVE,  all existing user accounts with expire value will require update using command of: TSS ADD(ACID) PASSWORD(*,30). 

Also looking to confirm that if we set the PWEXP (30) and INACTIVE(30,LASTUSED) this will ensure that accounts created but never logged into will also be set PSUSPEND  after 30 days of creation.  

Trying to prevent any gotchas so appreciate any and all feedback.  

I concur with Michael Simpson's response.  In addition, I'd caution against running the REP(xxxx) PASS(*,30) against all existing users on the same day, as that would result in all users' passwords expiring in 30 days.  Experienced this once long ago in a large environment, and the helpdesk folks were overwhelmed with password resets 31 days later.   One solution to that would be to stagger the changes over a period of time.  Also consider whether or not the "password expires soon" messaging is suppressed by any custom login front-ends.  Display of this message helps users plan for their change so they don't have to think of (and then quickly forget) a new password on the fly.

------------------------------
Joe Denison
joe@tssadmin.com
------------------------------

Original Message:
Sent: 03-31-2020 11:37 AM
From: Cynthia McKinnon
Subject: Decreasing PWEXP and INACTIVE controls / seeking lessons learned

Trying to connect with anyone that has worked through a reduction in system settings for PWEXP and INACTIVE.  We are looking to reduce from current 90 day value down to 30 day.  Can anyone confirm that updates to the system settings only apply to new accounts added to system and that all existing user accounts with the 90 PWEXP value will have to be updated independently? 
The information I've been given indicates that in addition to updating the system settings of PWEXP and INACTIVE,  all existing user accounts with expire value will require update using command of: TSS ADD(ACID) PASSWORD(*,30). 

Also looking to confirm that if we set the PWEXP (30) and INACTIVE(30,LASTUSED) this will ensure that accounts created but never logged into will also be set PSUSPEND  after 30 days of creation.  

Trying to prevent any gotchas so appreciate any and all feedback.  

Thanks for your feedback Joe!
Original Message:
Sent: 03-31-2020 02:17 PM
From: Joe Denison
Subject: Decreasing PWEXP and INACTIVE controls / seeking lessons learned

I concur with Michael Simpson's response.  In addition, I'd caution against running the REP(xxxx) PASS(*,30) against all existing users on the same day, as that would result in all users' passwords expiring in 30 days.  Experienced this once long ago in a large environment, and the helpdesk folks were overwhelmed with password resets 31 days later.   One solution to that would be to stagger the changes over a period of time.  Also consider whether or not the "password expires soon" messaging is suppressed by any custom login front-ends.  Display of this message helps users plan for their change so they don't have to think of (and then quickly forget) a new password on the fly.

------------------------------
Joe Denison
joe@tssadmin.com

Original Message:
Sent: 03-31-2020 11:37 AM
From: Cynthia McKinnon
Subject: Decreasing PWEXP and INACTIVE controls / seeking lessons learned

Trying to connect with anyone that has worked through a reduction in system settings for PWEXP and INACTIVE.  We are looking to reduce from current 90 day value down to 30 day.  Can anyone confirm that updates to the system settings only apply to new accounts added to system and that all existing user accounts with the 90 PWEXP value will have to be updated independently? 
The information I've been given indicates that in addition to updating the system settings of PWEXP and INACTIVE,  all existing user accounts with expire value will require update using command of: TSS ADD(ACID) PASSWORD(*,30). 

Also looking to confirm that if we set the PWEXP (30) and INACTIVE(30,LASTUSED) this will ensure that accounts created but never logged into will also be set PSUSPEND  after 30 days of creation.  

Trying to prevent any gotchas so appreciate any and all feedback.