Your organization鈥檚 strategy for password expiration dictates how long 黑料海角91入口 user account passwords are valid and when users need to change their password. This allows your organization to implement security policies that meet your compliance standards.
黑料海角91入口鈥檚 password expiration options let you:
- Set a password lifespan for your organization.
- Require new users to change their temporary password the next time they log in.
- Immediately expire individual user passwords.
Configuring the Password Aging Settings for Expiration
黑料海角91入口鈥檚 Password Aging settings for expiration apply globally for your entire organization. Access and manage these settings from Settings > Security > Password Settings. Learn more in Manage Password and Security Settings.
Considerations:
- Individual users can be exempted from password expiration. See Get Started: Users.
- If a password expires, users will remain logged in as long as they are active. Once they become inactive, such as when the device goes to sleep, the user will be locked out of their account and will need to change their expired password to log in. Learn more in Unlock User Accounts.
- Alternatively, you can configure the actions taken when a user's password expires for Google Workspace, RADIUS, LDAP and M365/Entra ID via the 黑料海角91入口 API.
- Settings don鈥檛 apply to the 黑料海角91入口 Menu Bar App.
- You can鈥檛 modify the password expiration notice on the 黑料海角91入口 Menu Bar App/Windows App. Users on 黑料海角91入口-managed Mac and Windows devices are encouraged to update their passwords in the 黑料海角91入口 Menu Bar App to keep their passwords in sync with Keychain, FileVault and other apps.
- For MacOS, see Manage MacOS Passwords.
- For Windows, see Manage Passwords Using the 黑料海角91入口 Windows App.
To manage Password Aging settings:
- Log in to the .
- Go to Settings > Security.
- In the Password Settings section, enable and disable the Password Aging options for your org.
- Click Save.
You can set the following settings for password expiration:
- most recent passwords cannot match each other (limit historical reuse): Specifies the number of unique passwords a user has to create before they can reuse a previous password. Enter a number between 1-24.
- N daysuntil password expiration: Specify the lifespan (in days) of passwords for your organization. If you don鈥檛 choose to expire passwords, they鈥檙e valid indefinitely. After the lifespan expires, users must change their password.
- N days prior to password expiration, require password reset at login: If you choose to expire passwords, you can require users to reset their password for a certain number of days before their password expires. This option helps ensure that access to password protected resources isn鈥檛 interrupted by requiring users to change their password before it expires.
- Allow password change after expiration: You can allow users with expired passwords to change their password from their 黑料海角91入口-managed device, alleviating the need for admins to manually reset user passwords. See considerations below before enabling this option.
Considerations for Allow password change after expiration:
- After you expire a user鈥檚 password, it鈥檚 immediately invalid; the user is logged out of their device and connected resources, and is required to change their password from their 黑料海角91入口-managed device the next time they log in.
- If you鈥檝e required MFA for the User Portal, your users will need to verify their identities using one of the configured methods.
- If you haven鈥檛 enabled the Allow password change after expiration setting for your organization and attempt to expire a user鈥檚 password, you can either enable the setting for your org or cancel the password expiration. If you enable the setting for your org, all users with expired passwords are able to reset their password from their 黑料海角91入口-managed devices.
Managing Password Expiration for New Users with Temporary Passwords
When you create new users, you can give them a temporary password. To make sure users change their password to a private, secure password quickly, you can require that they change their password the next time they log in to their 黑料海角91入口-managed device.
Read considerations for Allow password change after expiration.
To require a new user to change their temporary password:
- Log in to the .
- Go to USER MANAGEMENT > Users.
- Click ( + ), then select Manual user entry. Learn about creating users: Get Started: Users.
- On the New User panel鈥檚 Details tab in the User Security Settings and Permissions section, first, select the Specify initial password, then enter a temporary password for the user.
- Next, select the User must change password at next login option. If you haven鈥檛 enabled the Allow password change after expiration setting for your org, you鈥檙e notified on the Force Password Change modal. You can choose to enable setting for your org by clicking force change, or choose not to by clicking cancel. If you enable the setting for your org, all users with expired passwords are able to reset their password.
Managing Password Expiration for Existing Users
You can manually expire passwords for individual users from the User panel.
Read considerations for Allow password change after expiration.
To immediately expire a user鈥檚 password and force them to change their password:
- Log in to the .
- Go to USER MANAGEMENT > Users.
- Select a user to view their details.
- Click the user鈥檚 password status, then select Force Password Change.
- If you haven鈥檛 enabled the Allow password change after expiration setting for your org, you鈥檙e notified on the Force Password Change modal. You can choose to enable this setting for your org by clicking force change, or choose not to by clicking cancel. If you enable the setting for your org, all users with expired passwords are able to reset their password.
Managing Password Expiration for Multiple Existing Users
You can manually expire passwords for multiple users from the Users list.
Read considerations for Allow password change after expiration.
To immediately expire multiple users' passwords and force them to change their password:
- Log in to the .
- Go to USER MANAGEMENT > Users.
- Select the users whose password you want to expire.
- Click more actions, then select Force Password Change. If you haven鈥檛 enabled the Allow password change after expiration setting for your org, you鈥檙e notified on the Force Password Change modal. You can choose to enable the setting for your org by clicking force change, or choose not to by clicking cancel. If you enable the setting for your org, all users with expired passwords are able to reset their password.
Allowing a Password Change After Expiration
The following flows assume the Allow password change after expiration setting is enabled for an organization.
Require a New User to Change their Temporary Password
The following flow applies when admins select to require a new user to change their temporary password:
- An administrator creates a new user, gives the user a temporary password, and selects User must change password at next login.
- The user must change their password the next time they log in to their device:
- If 黑料海角91入口 detects the user is on a Mac or Windows device, they鈥檙e asked to update their password on their device login screen. If you've required MFA for the User Portal, users are required to verify their identity when they change their password.
- If 黑料海角91入口 detects the user is on a Linux device, they can log in to their User Portal using expired credentials and are shown a password change prompt. This prompt can鈥檛 be dismissed. If you've required MFA for the User Portal, users are required to verify their identity when they change their password.
An Existing User鈥檚 Password Expires
The following flow applies when a user鈥檚 password lifespan expires:
- The user鈥檚 password lifespan is reached and the password expires.
- The user is logged out of their device and all 黑料海角91入口-managed resources.
- The user must change their password the next time they log in to their device:
- If 黑料海角91入口 detects the user is on a Mac or Windows device, they鈥檙e asked to update their password on their device login screen. If you've required MFA for the User Portal, users are required to verify their identity when they change their password.
- If 黑料海角91入口 detects the user is on a Linux device, they can log in to their User Portal using expired credentials and are shown a password change prompt. This prompt can鈥檛 be dismissed. If you've required MFA for the User Portal, users are required to verify their identity when they change their password.
Expire an Existing User鈥檚 Password
The password for a Samba user, which is the Samba Service Account, cannot be expired.
The following flow applies when an admin expires an existing user鈥檚 password, unless the user is the Samba user:
- An administrator selects to view an existing user鈥檚 details.
- The administrator clicks the user鈥檚 password status, then selects Force Password Change.
- The password is immediately expired and the user is logged out of their device and all 黑料海角91入口-managed resources.
- The user must change their password the next time they log in to their device:
- If 黑料海角91入口 detects the user is on a Mac or Windows device, they鈥檙e asked to update their password on their device login screen. If you've required MFA for the User Portal, users are required to verify their identity when they change their password.
- If 黑料海角91入口 detects the user is on a Linux device, they can log in to their User Portal using expired credentials and are shown a password change prompt. This prompt can鈥檛 be dismissed. If you've required MFA for the User Portal, users are required to verify their identity when they change their password.
Implementing a Rolling Password Expiration Policy
This section describes legacy behavior for password expiration. See Manage Password and Security Settings
When enabling password expiration for a 黑料海角91入口 organization, the default behavior is to set the password expiration date to the same date and time for all users of a 黑料海角91入口 organization. To limit the number of accounts that are set to expire on a given date and time, admins can create a phased, rolling password expiration policy for their organization.
This can be done by enabling the Password Never Expires setting for all users in an organization before enabling password expiration for an organization and then disabling the setting for batches of users at a time.
Need to install the 黑料海角91入口 PowerShell module to automate this task? See Install the 黑料海角91入口 PowerShell Module.
For organizations that already have password expiration in place, the steps can also be implemented, but doing so will update all users' existing password expiration dates.
Only once the Password Never Expires setting is disabled per user will the global password expiration setting apply to the user's account.
Examples from the 黑料海角91入口 PowerShell Module example library are used to modify users and implement a rolling password expiration policy:
- Step 1:
- Step 2:
- Step 3:
When the setting Password Never Expires setting is disabled for a user, the user鈥檚 account will be set to expire at the current time plus the number of days configured for expiration. As an administrator, you can choose the duration between batches of users you disable the expire setting for in your organization.
Forcing an Org-Wide Password Reset
Organizations may want, or sometimes have an immediate need, to have their entire user base reset passwords. There are many ways to facilitate this with the 黑料海角91入口. There are advantages and disadvantages for each option, ways to initiate the reset flows, and variations in user experience that result.
Password reset using password expiration settings
Expiration is a well worn method of enforcing rotation of passwords. This is typically used to manage password aging in a rotating fashion, but it may also be employed to enforce a more urgent reset across an organization鈥檚 user base. This method allows some customization in how that reset is enforced and experienced by users.
All users receive certain nudges from 黑料海角91入口 when their passwords are near expiration. These include:
- A daily email to users notifying them that their password will expire. This will start seven days prior to expiration. The email has a link to the User Portal where they will be prompted to change their password. This is a dismissible prompt.
- A Change Password prompt will appear each time a user logs into their User Portal. This will start within seven days of their password expiration. This is a dismissible prompt.
A daily notification will appear to a user on a managed device with the 黑料海角91入口 tray app nudging them to use the app to reset their password. This will start within 10 days prior to their password expiration. This looks slightly different on Macs and Windows.
To review expiration settings:
Before enforcing any form of password expiration, there are a few settings that should be reviewed to ensure that expiration will not have undesired consequences on managed resources.
- Log in to your .
- Navigate to Settings > Security and scroll down to the Password Configurations section.
- For any configured instances of Google Workspace, M365/Entra ID, RADIUS, or LDAP, ensure the desired settings are selected for Password Expiration. These settings will determine if users are maintained, removed, disabled, or have access removed when passwords expire. Take into consideration if you want user email accounts suspended and emails bounced while passwords are expired, or if Wifi access should be cut off from the device the user is logged into.
- In the Password Aging section:
- Review the first setting for most recent passwords cannot match each other (limit historical reuse). It's recommend this be enabled with a value of at least 1.
- Determine if you want to enable the Allow password change after expiration setting. When passwords expire, access to resources through 黑料海角91入口 will be disrupted. This option allows users a path to self-recover from an expired password upon login to their User Portal or managed device.
- Click Save when finished.
To initiate a reset within a limited timeframe:
This is a good option if there is a desire to enforce a reset, but urgency allows for this reset to take place within a prescribed timeframe. Providing a window of time for users to perform a reset can be less disruptive to productivity and distribute the potential admin remediation should a user experience confusion or challenges with the reset.
- Log in to your .
- Navigate to Settings > Security and scroll down to the Password Aging section.
- If not yet enabled, enable the days until password expiration setting and update the number of days that you鈥檇 like to allow for your organization to reset all passwords.
- Determine if you want to enable the days prior to password expiration, require password reset at login setting for a certain number of days prior to expiration. This is the same prompt that all users receive prior to expiration, but is not dismissible, thus a nice way to ensure users don鈥檛 delay a reset in the days leading up to expiration.
- Click Save when finished.
To initiate a reset immediately:
This method of initiating reset will be far more disruptive to active users within an organization and will also ensure that compromised passwords are no longer active. Please consider the urgency of action appropriate to the identified vulnerability.
When passwords expire, users will lose access and their account status will be updated on all 黑料海角91入口 managed resources. This may include access to emails that can notify them of expiration, communication applications commonly used to recover users, devices, and networks those devices are connected through.
If opting to force a reset via expiring passwords immediately, consider if you would like users to be able to self-recover from this expiration. The 鈥淎llow password change after expiration鈥 will allow users to use their expired password to enter a reset flow in the 黑料海角91入口 User Portal or a managed device at login.
- Log in to your .
- Navigate to User Management > Users.
- Select the users needing a password reset.
- Click on the more actions dropdown and select Force Password Change.
- Review the Force Password Change confirmation modal and if correct, select force change.
Password reset using a reset request
If there isn鈥檛 great urgency, requesting a reset of passwords is the least disruptive option for initiating an org wide reset. While protecting productivity, when a request isn鈥檛 disruptive, it also tends to be less effective in prompting users to take action, so this is not a recommended path of remediation if there is a concern that passwords may be compromised.
To send an admin-specified reset request:
There is a way to send a password reset request through the 黑料海角91入口 Admin Portal that comes in the form of an email to each users鈥 company email address. The users follow a link in the email to a reset form that requests a new password and a confirmation of that password. This is a simple flow, but as mentioned above, users may be rightfully skeptical of the request if they aren鈥檛 expecting it鈥攊f you decide to use this method, we suggest letting users know in advance to expect the email from 黑料海角91入口. There is also a potential that if users have devices 黑料海角91入口 managed by 黑料海角91入口, they may need to confirm their password is synced to their device.
- Log in to your .
- Navigate to User Management > Users.
- Select the users needing a reset request.
- Select Resend Email.
- The selected users will receive the following email. The existing password is not required for this reset request.
To send a customized reset request:
Every organization has a unique IT environment, and leverages 黑料海角91入口 to access different collections of resources. Thus, a request coming from a trusted administrator with customized instructions for a reset is likely to be more effective than a generic reset request. Learn more: .