set new password policy

PandiriJ · ‎07-08-2025

Currently our password should expire after 90 days , we are setting new password policy that should expire after 365 days. If we change the properties from 90 days to 365 days the property will apply to existing users also, but we want the current password to expire after 90 days for current users and once they reset after 90 days then only new policy with 365 days should apply.

please share any solutions.

Thanks in advance.

Ankur Bawiskar · ‎07-08-2025

@PandiriJ

ServiceNow doesn't support staged password expiration policy.

1 way is to wait till all users complete their 90 days date and then roll out the new policy, but this will work only when you have small set of users

Another way might be a custom solution as below

Steps
1) Create a Custom User Field:

-> Add a field like last_password_reset_date or policy_applied to track whether a user has reset their password after the policy change.

2) Use a Scripted Policy Logic:

-> Implement a scripted password expiration check that:
-Applies the 90-day expiration for users who haven’t reset their password since the policy change.
-Applies the 365-day expiration for users who have.

3) Workflow or Scheduled Job:

-> Create a scheduled job or business rule that updates the custom field when a user resets their password.
-> This can be tied to the password reset event or form submission.

4) Modify the Password Policy Script:

-> Use a script to dynamically set the expiration period based on the custom field.

sample script like this

if (user.last_password_reset_date < policy_change_date) {
    password_expiration_days = 90;
} else {
    password_expiration_days = 365;
}

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

PandiriJ · ‎07-08-2025

Please share the custom solution

Pooja Limbani · ‎07-09-2025

@PandiriJ can you try this solution once :

Use a custom user attribute and a conditional check in your expiration logic.

1. Create a Custom Field

Add a field to the sys_user table, like:

use_new_password_policy (Mostly Boolean / Date / Choice)

This will indicate whether a user has reset their password under the new policy.

2. Modify Password Expiration Logic

Customize your password expiration rule to check this field:

If use_new_password_policy == false → apply 90-day expiry
If true → apply 365-day expiry

3. Track Password Reset Date

If not already tracked, store last_password_reset_date. When a user resets, update:

use_new_password_policy = true
Or update a next_expiration_date with +365 days

4. Trigger On Password Reset

Use a Script Action or Business Rule:

On password reset, update the flag
Ensure future expiration follows the new interval
var userGR = new GlideRecord('sys_user');
if (userGR.get(gs.getUserID())) {
var expiryDays = userGR.use_new_password_policy ? 365 : 90;
var lastReset = new GlideDateTime(userGR.last_password_reset);
var now = new GlideDateTime();
var ageInDays = GlideDateTime.subtract(now, lastReset) / (1000 * 60 * 60 * 24);
if (ageInDays >= expiryDays) {
// Force password change
}
}
If this did the trick, hit that 'correct' mark and close the thread so we can help others find the same fix.

If this response resolved your issue, kindly mark it as Helpful or Accept Solution—it helps others find the answer faster.

Ankur Bawiskar · ‎07-09-2025

@PandiriJ

I already shared the approach and sample pseudo code.

I believe you can take it further from here based on your experience and development skills.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader