In case of having local console operators I would like to check potential password expiration date. However, I did not find this information. Any ideas? Dokumentation did not help me:
https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Console/c_monitoring_operators.html
https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_list_of_advanced_options.html#conceptTueSep160103122014
So you have maximumPasswordAgeDays configured already and want to report when the expiration will occur for each operator?
Exact. Last expiration was during my vacation, bad luck for my colleagues 
Hm. I thought I made some progress with Session Relevance to get the maximum password age:
(name of it, value of it | "none") of bes deployment options
with results like
maximumPasswordAgeDays, 720
passwordComplexityDescription, ( Passwords must contain 8 characters or more, both uppercase and lowercase letters, and at least 1 digit. )
passwordComplexityRegex, ( (?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:digit:]]).{8,} )
But, after getting the maximumPasswordAgeDays, I haven’t found a ‘bes user’ property or even a REST API call that will retrieve the operators’ last password change time.
So far I’ve managed to build a SQL query that retrieves them, though, if this helps at all.
select username
, PasswordLastChanged
, MaxPasswordAge
, DATEADD(day, CAST(MaxPasswordAge as int), PasswordLastChanged) as PasswordExpirationTime
FROM
(SELECT userinfo.username as username
, userinfo.PasswordLastChanged as PasswordLastChanged
, (
SELECT adminfield.FieldContents AS MaxPasswordAge from [BFEnterprise].[dbo].[ADMINFIELDS] as adminfield
WHERE adminfield.FieldName='Z:maximumPasswordAgeDays'
) as MaxPasswordAge
FROM bfenterprise.dbo.USERINFO as userinfo
where userinfo.ldapID is NULL
) AS test
Results sample
| username | PasswordLastChanged | MaxPasswordAge | PasswordExpirationTime |
|---|---|---|---|
| mo | 2023-01-06 02:31:12.190 | 720 | 2024-12-26 02:31:12.190 |
| bfc | 2023-02-02 18:42:51.453 | 720 | 2025-01-22 18:42:51.453 |
| bfi_service | 2023-02-02 18:51:21.810 | 720 | 2025-01-22 18:51:21.810 |
Oh, seems to be more tricky than expected. As a first step, SQL statement is pretty helpful, thanks very much.
I assume posting an idea / RFE to add this feature might be helpful for the future. Usually I prefer LDAP authenticated users of course but in some cases a local operator makes sense in my opinion.
Here’s a db2 version of the query to pull password Last Changed, Max Age, and Expiration Date, hat tip to @JasonWalker for getting me started with his SQL query:
CONNECT TO BFENT;
SELECT
u.USERNAME,
u.PASSWORDLASTCHANGED,
(SELECT CAST(CAST(a.FIELDCONTENTS AS VARCHAR(100)) AS INTEGER)
FROM DBO.ADMINFIELDS a
WHERE a.FIELDNAME = 'Z:maximumPasswordAgeDays') AS MaxPasswordAge,
u.PASSWORDLASTCHANGED +
(SELECT CAST(CAST(a.FIELDCONTENTS AS VARCHAR(100)) AS INTEGER)
FROM DBO.ADMINFIELDS a
WHERE a.FIELDNAME = 'Z:maximumPasswordAgeDays') DAYS AS PASSWORDEXPIRATIONDATE
FROM DBO.USERINFO u
WHERE u.LDAPID IS NULL;
Result example:
USERNAME PASSWORDLASTCHANGED MAXPASSWORDAGE PASSWORDEXPIRATIONDATE
-------------- -------------------------- -------------- --------------------------
mo 2025-04-18-15.37.35.781074 365 2026-04-18-15.37.35.781074
bfc 2024-12-23-16.36.55.771309 365 2025-12-23-16.36.55.771309
bf-test 2023-03-09-17.42.59.420868 365 2024-03-08-17.42.59.420868
I pipe it through sed to remove extra spaces to keep the output from wrapping making it more readable