I have a profile that all my users use. With regards to password expiration, I have their password expire in 80 days with a 10 day grace period.
First question: Does this mean that when they reach 80 days, they will start getting the message [at every logon] that their "password will expiring in X days..." ?
OR do they start getting that message when they have reached the 70th day?
When I look at the account_status in dba_users, I see some users have a status of "OPEN", while the date on their expiry_date field has already passed. Shouldn't it say EXPIRED? I see others with "EXPIRED(GRACE)" status - I am assume that these are the users who are in their grace period.
Can someone give me an explanation on how Oracle actually does this??
I think I answered my own question..... (after doing some test on dev box)
The value in expiry_date is kinda tricky, but actually is straight-forward. But the value in th account_status is kinda tricky, too.
Here's how it works (from what I observed).
The account_status value does NOT change UNTIL the user logs in. This explain why users with passed expiry_date values still have an account_status of OPEN - they haven't logged in since their password expired.
The expiry_date value has to be translated with what's in the account_status. If the account_status is set to OPEN, then the expiry_date states when the password will expire. (Makes sense...)
IF YOU HAVE PUT A GRACE PERIOD, then this expiry_date means that's the date when the account will go into the grace period.
Say you set a grace period of 10 days. The account does NOT start it's grace period (the 10 day count down), until it logs on AFTER the expiration date has passed.
When the account reaches/within the grace period, the expiry_date is updated to reflect the date when the account will definitely expire.
It all makes sense now, but it was unclear before I did this test....