>> Seems to me that you just need to judiciously set up ppolicy. >> set pwdMaxAge to the max time you want your users to be able to have an >> inactive account >> then set pwdGraceAuthnLimit to 0 > > This won't work unless he means "after a period of inactivity" to be > actually changing their password. > > For example, if he wants to lock an account after 15 days of no logins, > then if a user logs in on day 14, he would expect the lockout period to be > reset. However, to reset it the user would have to change their password > so pwdChangeTime updates. > > Or am I way off? >
This of course could be forced by setting pwdMustChange Then when the user logs in on the day 14, they must change it.
