14 Mar
2008
14 Mar
'08
3:28 p.m.
Seems to me that you just need to judiciously set up ppolicy. set pwdMaxAge to the max time you want your users to be able to have an inactive account then set pwdGraceAuthnLimit to 0
This won't work unless he means "after a period of inactivity" to be actually changing their password.
For example, if he wants to lock an account after 15 days of no logins, then if a user logs in on day 14, he would expect the lockout period to be reset. However, to reset it the user would have to change their password so pwdChangeTime updates.
Or am I way off?
This of course could be forced by setting pwdMustChange
Then when the user logs in on the day 14, they must change it.