Set Expiration Policies

The policies are set from the Expiration Policies page in the Extranet Collaboration Manager group of menu items in Central Administration:

The way the expiration policies are implemented by ExCM are different for Account Expiration vs. Password Expiration. So, they will be explained in seperate sections below.

External User Account Expiration

External User Account expiration is performed by a SharePoint Timer Job that runs on the schedule that you specify and uses the policy parameters that you specify on the Expiration Policies page in Central Administration:

The frequency settings for the Account Expiration Timer Job (named ExCM User Automation in Timer Job Definitions) are configured in the Recurring Schedule section further down on the page:

When you configure the settings and click OK on the page, a one-time configuration job is kicked off in the background and it could take 15 - 30 minutes to complete, depending on the size of your SharePoint farm. Once the configuration job has successfully pushed your policies out to every server in your farm, your policies will be in force and will be applied on the schedule you specified for the ExCM User Automation Timer Job that is connected to your extranet web application:

Note: Since the application of expiration policies is handled by the ExCM User Automation Timer Job, it is necessary to restart the SharePoint Timer Service on all servers in your farm so that the Timer Job cache will be refreshed and the new policy settings picked up. During the configuration process, ExCM 2013 R2 attempts to restart the Timer Service automatically on each server as part of the expiration policy configuration job. This may be successful in some farms, but not in other farms due to service account permissions. If you find that your expiration policies are not being persisted after waiting 15 - 30 minutes, you will need to manually restart the SharePoint Timer Service on each server in your farm.

Once configured, the ExCM User Automation Timer Job will run on the schedule you set. When it runs, it loops through all of the External User Account records in your extranet directory database and examines the Last Login Date and Last Activity Date and determines if those dates indicate that the external user's account should be expired, based on the Account Expiration Policy you previously defined.

If it determines that an external user's account should be expired, it will set the Approval flag to "unapproved". This status will restrict the external user from being able to login to the extranet until an extranet administrator has re-approved the user's account.

Example Walkthrough:

Assume the following Account Expiration Policy settings have been created in Central Administration:

With this policy, an extranet user's account will expire after 30 days of inactivity. Inactivity is defined as no logins using the account and no administrative actions related to the account.

In this example, 14 days prior to the account expiration date, the user will receive a warning email message that is similar to this one:

If the extranet user visits the site and logs in, no further action will be required to keep their account active for another 30 days. Their Last Activity Date will be updated as soon as they login and they will no longer be within the expiration notification window.

However, if the extranet user does not visit and login to the site, they will continue to receive this same email per the "Repeat the expiration notification" frequency setting.

Finally, if the extranet user does not login to the site before the expiration policy setting, they will receive this email:

If they attempt to visit the site and login after expiration, they will see this error message:

From an administrative standpoint, their account record in ExCM will look like this:

Notice that their status has been set to "Unapproved", rather than "Locked". The "Locked" status is only used for situations where a user has exceeded the maximum number of invalid login attempts.

External User Password Expiration

The Password Expiration Policy is set in this section of the Expiration Policies page:

The settings are just like the settings for the Account Expiration Policy described in the previous section of this page.

However, the process of renewing an expiring, or expired, password is different.

When a password is nearing expiration, the user will receive an appropriate notification email based on the notification policy settings. Using the policy settings shown above, when the ExCM User Automation timer job runs and determines that it is 3 days before the user's password expires, it will automatically send out an email like this one:

Note: If you are using the "Change Password at Next Login" or a "Password Expiration Policy" the email links will direct the user to the Root site collection URL to change their password. Because of this, the user will have to have the correct permissions in place to view the Root site collection before they can view and use the Change Password page.

The user can use the link provided to visit and login to the site and then select the Change My Password menu item from her user name menu:

Extranet Collaboration Manager external user change my password option

Extranet Collaboration Manager external user change my password option

This will take her to the Change My Password page where she can set a new password:

Finally, if the user does not change her password before it expires, she will receive a final email notifying her that her password has actually expired. Then, the next time she logs into the site (using the expired password), she will be automatically redirected to the Change My Password page and will be required to change her password before she can access the site again.