Environment
Novell Client 2 SP4 for Windows
Situation
Historically, when the eDirectory password is expired, Novell Client will alert the user about the need to change their password. For example, if the user has "x" number of grace logins configured, once user logs in to eDirectory + Windows using Novell Client Credential Provider (or just logs in to eDirectory from the system tray "Red N"), and if the users eDirectory password is expired, Novell Client will notify the user to change the eDirectory password each time, until all the grace logins are used as shown here. (Note that the password expiration warning is presented at the end of the login script processing.)
Resolution
Using the "Use Password Expiry Warning" feature, users can be warned that their password will be expiring, and take action to avoid having their password expire. The following relevant settings for controlling this behavior are available in the Novell Client Properties "Advanced Login" tab.
Password Expiry Warning
Enables or disables the presentation of password expiration alerts before the actual password expiration occurs. When disabled, no alerts are presented until the password expiration occurs, and the user must change their password before exhausting the available grace logins. (This is the normal eDirectory password expiration behavior.) When enabled, the Novell Client will begin presenting expiration alerts before the password expiration occurs, allowing the user to change their password before expiration or grace logins occur. (This is more similar to Windows password expiration behavior.)
Password Expiry Warning Period
Sets the number of days before password expiration the user should start receiving password expiration alerts, if "Password Expiry Warning" is enabled. For example, if the user's eDirectory password is set to expire on January 25, 2014 and “Password Expiry Warning†is set for 5 days, the user will start getting eDirectory password expiration / password change notification beginning on Jan 20, 2014 onwards. i.e Each time the user logs in to eDirectory, the user will get a prompt for eDirectory password expiration / password change.
If the number of days is set as "0", the Novell Client will default to using the number of days specified by the Microsoft-defined "Prompt user to change password before expiration" policy, such that both Windows and the Novell Client will begin prompting at the same number of days before expiration.
Force Early Password Expiration Period
Optionally sets a number of days by which the password expiration handling should be forced to occur "early", before the actual eDirectory password expiration will occur. For example, if the actual eDirectory password expiration will not happen for another 5 days, but "Force Early Password Expiration Period" is set to 5, the Novell Client will prompt the user as though password expiration has already occurred. Note this setting only takes effect when the "Password Expiry Warning" setting is also enabled.
Notes:
- Once this feature is enabled and if “Password Expiry Warning†is set to 0 days, then if user's eDirectory password is going to expire on or before 11:59:59 pm local time of the same day the user is performing their eDirectory login, Novell Client will alert user for password expiration and will prompt for a password change.
- If the “Password Expiry Warning†is set to 5 days, then 5 days before the actual eDirectory password expiration, the user will start getting alerts that "the eDirectory password is going to expire in 5 days, please change the password now." This alert will be presented each time user logs in to eDirectory.
- When an eDirectory password reaches its expiration time and if there are one or more Grace Logins allowed for that user, the user will be taken directly to forced password change dialog box to change the eDirectory password after running the login script.
- With this feature enabled, the new prompt for eDirectory password expiration and change password will be displayed in the same place where Novell Client currently displays the grace logins i.e at the user's desktop after login script processing, as shown here:
- After this feature is enabled, nothing will have changed about the Windows account password expiration handling in Novell Client Credential Provider. If your Windows account expiration is going to happen before the eDirectory account expiration, you will be prompted for and have to handle the Windows account expiration first while you're still in Novell Client Credential Provider. The eDirectory account password expiration handling will still only happen after login script processing, outside of Novell Client Credential Provider.
Additional Information
While this functionality was first introduced in Novell Client 2 SP3 for Windows (IR7), the user interface was not available until Novell Client 2 SP4 for Windows.
See TID 7016756 regarding additional configuration required for this feature.