User Account Password expire date weirdness

OK, I am trying to be proactive about user accounts with expiring passwords. I seem to get caught where the user did not log in on the expiring day then they need help with a password reset. So I would like to send a notice out on Monday of each week to give the a heads up.

I have a BAQ that shows the user accounts with expired or expiring passwords.

once the password is expired the last changed and password expires dates are showing correctly.

However, for those passwords that have not expired yet and are coming up, the last changed date is incorrect and show the previous date (90 days prior). This is so weird. So the BAQ result does not match the user account screen dates.

What am I missing? Is this a bug? Or is the screen field doing some sort of calculation?

We are on 10.2.200.30. Thanks.

Brad

Here is a user account example of what I am seeing

Sorry I have no idea what is going on in your case.
I was just wondering if you really need password expiration policies - when the last time you reviewed the practice?

Since I’ve recently been seeing articles that indicate that password expiration is an obsolete practice.
Here are a couple related links…

https://www.techrepublic.com/article/windows-10-passwords-wont-expire-why-microsoft-says-this-will-make-your-account-safer/

Thanks Bruce I will review this info. I would need to get some mgt buy-in to change our current policies.

I am using the ERP.UserFile table and I do see a ICE.SysUserFile table that looks like a duplicate. When I bring this ICE table into the BAQ I cannot see any fields.

I think you have to be Site Admin (more than just Security privs) to see that table. You MIGHT be able to get the info from the UserSvc though.

Thanks Mark,
I don’t know what either of those are, but I did put in an Epicor support ticket based on the responses here.

I am a security manager and I tried the manager password as well and get the same results. We are on premise.

Thanks everyone.

Did you try making relationships to SysUserFile any way?

When I join the two (Erp.UserFile and Ice.SysUserFile) I see differences.

In the following, columns starting with UF are from the UserFile, SUF from the SysUserFile.

The values in SysUserFile match the User Security form, and what’s real.

UPDATE

So Epicor Support was very helpful and identified that this sysuserfile table is table that holds the password info and this is one of a few tables that is locked down so that you cannot write a BAQ against it.
They suggested a BPM and I have a BPM written and being tested to notify me when a password expires for starters.

Thanks everyone.

But you could setup an ODBC connection to the DB, and make an external BAQ, no?

Not sure Calvin, haven’t ventured into those waters yet…

imageaefe36.PNG

Hi Brad,
Did you create a BPM Method Directives or Data Directives? DO you have the sample?

Thank you