Looks like you have the "workaround", but I'm compelled to emphasize what others have written.
No user account should be have password expiration of less than 90 days. We have a wide variety of users. Most log in daily, while others log in anywhere from weekly to annually. Our policy is the same for all.
After 90 days of no activity, the account is locked. After an additional 30 days, the account is deleted. After this, a new user account must be requested.
NOTE: This is explained to every user and supported by mgmt. So, the users that don't log in after 120+ days know they must re-apply. Normally, they get the same login.
Application accounts are either locked or the password is maintained by sys admin staff. For those, we change the password every 90 days regardless if used or not.
Users that actually need access to an application account are provided sudo access. For example, all sys admin's use sudo for root commands and dba's for oracle commands.
Critical logins, including sys admins, root, oracle accounts are monitored for changes.
Of course, we have an exception request for those very, very rare occasions. We don't want to prevent anyone from doing there job, but any exceptions must be documented, validated, and approved by upper mgmt.
Hope this helps...
:-)
"I have not failed. I've just found 10,000 ways that won't work." - Thomas Edison
