Hello everyone,
Due to the nature of our business, we have many colleagues who need to use Epicor very rarely. But every time they use Epicor, their password expires and they ask for a reset.
So I would like to notify those people of their password in advance as well.
Since they don’t access Epicor often, I think email would be a good method of notification.
How can I set up this feature?
We are on 11.2.400.00.
Thanks in advance!
Password expiration is no longer considered a best practice. Even the person who first proposed it thinks it’s a bad idea and changed his mind 7 years ago. Microsoft even reduces the organization’s Secure Score if they do expire passwords.
A better solution, if possible, is to use Epicor IdP or Entra ID so there is only one login and other factors are used instead or in addition to just a single factor password.
BTW, for companies who can’t use an identity provider, the recommendation is to do a full expiration for everyone at the same time. That would make your task easier. 
And yet, Epicor itself is not only still encouraging it, but still doing it.
They sent notice and made me reset mine not long ago.
Now back to your question…
Just because I don’t agree with you, doesn’t mean I won’t help you.
You can make your own decisions. 
In the tables Erp.UserFile or Ice.SysUserFile you will find a date field labeled:
PwdExpiresYou could run a scheduled function to check those fields every so often against a set of criteria, and then send a reminder email accordingly.
Actually, I knew that the password expiration feature was a must-use feature. If we don’t have to use it, I don’t want to use it. How should I set this up?
I think you have to. 
At least ins some form or fashion for regular login, or Epicor IdP.
With Entra ID (Azure), you would have more options, but that’s not a question I can answer.
We are about to go the Entra ID route though, just haven’t got there.
Another thing to consider is when an employee leaves, the Entra Id is disabled. However, the Kinetic User Account is not automatically disabled and the username/password remains. There is also a last login date and you may want to disable Kinetic accounts after a certain amount of time and maybe send an email a week ahead of time.
Also, consider MES logins if those are shared on the shop floor.
Wouldn’t it be great if users could reset their own dang passwords? I can’t tell you the hours we spend resetting people’s passwords for them because Epicor has not built this extremely basic function into their software.
And as if the situation weren’t terrible enough, in 2024.1, the email temp password function now sends passwords that are 135 characters long. Yes its working as designed. 
So now we have no option but to reset password to blank, because so far exactly ZERO users are capable of dealing with a 135 character password, who could have possibly guessed this could be a problem???
Use an integrated id - well sure, I have Azure AD set up, but the cloud team won’t set up the config files the way I need them to on the server, which means if we want people to use it, we could no longer have users self serve the install from the download site, but instead would have to take over every install, every update, ourselves, and we don’t have the bandwidth to do that for ~300 users. So we are stuck with basic auth for the most part until we can get to the browser.
But I like the idea of warning people that their password has or is going to expire to head off some of the emergency reset requests.
Wouldn’t it be great to get rid of passwords altogether?
Well yes but I explained why that isn’t an option for us at the moment . . .
Shared workstations are still a problem too…
I’ll bite, give me your take on it.
Mark is correct but our environment is not ready.
A simple scheduled BAQ report with a routing rule broke on user id for the email works. We do 14 days out and will nag depending on schedule selected.
select
[SysUserFile].[UserID] as [SysUserFile_UserID],
[SysUserFile].[Name] as [SysUserFile_Name],
[SysUserFile].[EMailAddress] as [SysUserFile_EMailAddress],
[SysUserFile].[PwdExpires] as [SysUserFile_PwdExpires]
from Ice.SysUserFile as SysUserFile
inner join Erp.UserFile as UserFile on
SysUserFile.UserID = UserFile.DcdUserID
and ( UserFile.UserDisabled = false )
where (SysUserFile.PwdExpires >= @Tomorrow and SysUserFile.PwdExpires <= dateadd (day, 14, Constants.Today))
Lol, my favorite tool is a hammer…
I hadn’t thought of using APR. If you have that, it’s perfect for this application.
Nice job.
The common situations are:
Shopfloor Workstations where material handlers, maintenance people, or supervisors are using Kinetic during the same shift. They will only log out if they don’t have the command they need to do.
MES workstations where operators are only using their Employee ID but sharing a common Kinetic login. Again, making sure the right employee is reporting under the right Employee Id can be adventurous.
A Kiosk that allows all users to view Safety Data Sheets, request PTO, etc. where it has to log out of programs to protect employees.
That’s not what I was asking.
What challenges / issues do you see.
Maybe browser profiles can work so multiple people can log in at the same time. It would need some switching capability though. Certificate-based login could also help with the Kiosks.
Maybe we can add webcam support to Microsoft’s Recall?
