So you set user passwords expire in 90 days, under Setup | Security Controls | Password Policies, or under Password Policies in Profile.
Everything is working fine, all users must change password when login to Salesforce if password age reach 90 days or more.
With simply run a new report using User report type, you can check when a user need to change his/her password. Notice a field called Password Expiration Date.
In normal scenario, Password Expiration Date > Last Login. But, we notice there are a few users with Last Login > Password Expiration Date, is this mean those users able to skip password change when login to Salesforce?
Why this happened? After learn and investigate on this, here is the caused:
User is not login to Salesforce.com web, but they login from API, such as: Salesforce for Outlook, Salesforce1 app, Chatter Desktop, or others. To find out the "true" login to Salesforce.com website, down Login History, filter to that user and Login Type = Application.
Let's see two users from above screenshot:
Here is recent user login history, last login 9/21/2016 which is aligned with above report.
Filter Login Type = Application, user real last login to Salesforce.com web is 8/13/2016, while Password Expiration Date is 8/22/2016, so this is correct that user never login to Salesforce.com web after 8/22/2016.
Here is recent user login history, last login 8/12/2016 which is aligned with above report.
Filter Login Type = Application, user real last login to Salesforce.com web is 7/5/2016, while Password Expiration Date is 7/31/2016, so this is correct that user never login to Salesforce.com web after 7/31/2016.
Summary: Last Login in user report is not about just login to Salesforce.com, but it can be from other app / devices and that login method will not ask user to change password.
- Create/refresh Sandbox do not change the Password Expiration Date.
- When user change his/her Salesforce password before Password Expiration Date, this will reset and re-count Password Expiration Date to a another x days, for this blog sample is 90 days.
- New user created will have Password Expiration Date before Created Date, so user have to change password when login to Salesforce for the first time.