We have an ISE deployment that has internal users that were created over a year ago and are looking to enforce 90-day password expiration/changes. If we enable the setting, "Disable user account after 90 days if password was not changed" - will accounts older than 90 days with no password changes be disabled immediately, or will the 90 day timer start the day we check that box?
Is there possibly a better way to enforce a 90-day password expiration/change than this?
How sure are you on this? Looking at the user accounts, it appears that there's also a field for "disable if user has been inactive after 12/3/18" for instance - this seems to point to ISE timestamping the accounts to disable 90 days from the current time and not from creation date. So the question still stands, if I enable the 90-day policy for disabling accounts that haven't changed their password in 90 days today, will ISE go off current time to start the timer or when the account was originally created?
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
