ServiceNow – Password Expiration and Reminder Configuration

Question Summary
----------------
You want to set an expiration date for user passwords and notify users when their password expiration date approaches. You found the property “pwd_reset.enable.password_expiration_reminder” but noticed it doesn’t seem to work with the local credential store. You’re asking whether it’s necessary to create an external credential store or install an additional spoke.

Detailed Answer
----------------
1. **Property Overview**
- The property **pwd_reset.enable.password_expiration_reminder** (boolean) enables password expiration reminder notifications.
- When set to **true**, it allows ServiceNow to send reminders to users whose passwords are about to expire — **only if password expiration is configured and managed via the Credential Store**.

2. **Local Credential Store Limitation**
- The **local ServiceNow credential store** (where users authenticate directly via the ServiceNow login page) does **not** natively support password expiration or reminders.
- Password expiration and enforcement policies are **not managed** within the local user table (`sys_user`) for standard ServiceNow authentication.

3. **External Credential Store Requirement**
- To use password expiration reminders, ServiceNow expects integration with an **external credential store** (e.g., LDAP, Azure AD, Okta, or another Identity Provider) that manages password policies, including expiration.
- ServiceNow can then read and relay expiration data from that external system.

4. **Credential Store Setup**
- External credential stores are defined in the **Credential Store framework** (introduced for password resets and identity management).
- The credential store configuration may require installation of the **“Password Reset” plugin** or **Credential Store Spoke**, depending on your version.

Example plugins:
- **Password Reset (com.glideapp.password_reset)** → provides core password management functionality.
- **Credential Store Spoke** → enables integration with third-party identity systems.

5. **Without Installing Additional Plugins**
- ServiceNow **does not natively** handle password expiration reminders for local user accounts out of the box.
- However, you can simulate similar behavior using **scheduled jobs and notifications**:
- Add a custom **“password_expiration_date”** field on the `sys_user` table.
- Use a **Scheduled Script Execution** to check for users whose password expiration date is within X days.
- Send an **email notification** to those users via standard notification templates.

Example pseudo-script:
```javascript
var gr = new GlideRecord('sys_user');
gr.addQuery('active', true);
gr.addQuery('password_expiration_date', '<=', gs.daysAgoStart(-7)); // within next 7 days
gr.query();
while (gr.next()) {
gs.eventQueue('password.expiration.reminder', gr, gr.email, '');
}
```

6. **Recommendation**
- If your organization uses **SSO / External Authentication**, handle password expiration in that identity provider.
- If using local ServiceNow authentication, you can only **customize** the expiration logic through scripting, as no OOB configuration exists for reminders without a credential store.

Summary
-------
- The property `pwd_reset.enable.password_expiration_reminder` works **only with external credential stores**.
- For **local accounts**, password expiration and reminders must be custom-built via scripts and notifications.
- Installing the **Password Reset plugin** or **Credential Store Spoke** enables the official, supported approach.

Best Practice
--------------
- For enterprise environments, delegate password management to **SSO or external ID providers** (Azure AD, Okta, LDAP).
- Avoid storing or managing passwords directly in ServiceNow where possible for security and compliance reasons.