Password Expiration and Reminder Configuration in ServiceNow
============================================================

Overview
--------
The property `pwd_reset.enable.password_expiration_reminder` enables password expiration reminders, but it only works when password expiration is actively managed through a credential store that supports expiration metadata. For standard local authentication, this feature does not function by default.

How It Works
-------------
ServiceNow manages authentication via Identity Providers (IdPs) and Credential Stores:
- Local Credential Store: Uses `sys_user.password` and does not include built-in expiration logic.
- External Credential Stores: LDAP, Azure AD, Okta, etc., can manage expiration and notify users externally.
- The reminder feature depends on having a **Managed Credential Store** with password expiration data.

Limitations with Local Credential Store
----------------------------------------
If you rely on local authentication (no external IdP):
- There is no built-in password expiration or expiry date field.
- The property `pwd_reset.enable.password_expiration_reminder` does not trigger notifications.
- Custom logic is needed to simulate expiration and send reminders.

Approaches
-----------

Option 1 – Use Password Reset (PRF) with Managed Store
------------------------------------------------------
1. Install the **Password Reset** plugin (`com.snc.password_reset`).
2. Set the property:
pwd_reset.enable.password_expiration_reminder = true
3. Configure a **Managed Credential Store**:
- Go to: *Password Reset → Credential Stores → New*
- Define the store (local or external like LDAP/Azure AD).
4. Add an **Expiration Policy** under *Password Reset → Expiration Policies*.
5. Set up email notifications to alert users before expiration.

✅ Works with both local and external credential stores.

Option 2 – Custom Scheduled Job for Local Users (No Plugin)
-----------------------------------------------------------
1. Add a field to `sys_user`: `u_password_expiration_date` (Date/Time).
2. Create a Scheduled Script Job:
```javascript
var gr = new GlideRecord('sys_user');
gr.addQuery('u_password_expiration_date', '<=', gs.daysAgoStart(-5));
gr.addQuery('active', true);
gr.query();
while (gr.next()) {
gs.eventQueue('custom.password.expiration.reminder', gr, gr.email, '');
}
```
3. Create an Email Notification triggered by `custom.password.expiration.reminder`.

⚙️ Manual but effective for on-prem/local-only users.

Option 3 – Integrate with External Identity Source
---------------------------------------------------
If your org uses LDAP, Azure AD, Okta, or Ping:
- Delegate expiration and reminders to the IdP.
- Configure SSO (SAML/OIDC) in ServiceNow.
- Manage expiration policies in the IdP itself.

This is the **recommended enterprise solution** for large environments.

Summary
--------
| Approach | Requires Plugin | Works for Local Users | Auto Expiration | Reminder Supported | Recommended For |
|-----------|----------------|-----------------------|-----------------|--------------------|-----------------|
| Password Reset (Managed Store) | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | Full ServiceNow control |
| Custom Script Job | ❌ No | ✅ Yes | ⚙️ Manual | ⚙️ Custom | Local-only environments |
| External Identity Provider | ❌ No | ❌ No | ✅ Yes | ✅ Yes | Enterprise SSO environments |

Recommendation
---------------
- For enterprise users: manage expiration in your **IdP** (Azure AD / LDAP).
- For standalone instances: install **Password Reset** and enable reminders.
- For isolated setups: use a **custom scheduled script**.