are password policies applied retroactively

Document ID : KB000098258
Last Modified Date : 29/05/2018
Show Technical Document Details
Question:
If a password policy is applied after a user has actually met the criteria for a the account to be disabled, will it be applied?

For example,Ā 

An existing user UserA's last login date is 2018-05-01.

A password policy is created on 2018-05-10 to disable user accounts which have not logged in for 7 days.

Will the policy be applied and UserA's account be disabled when if they try to log in on 2018-05-11?
Answer:
Yes. The policy will be applied.

The policy is applied when a user next logs in so in the case above, when they user logs in on 2018-05-11, the system will look at the policies in effect for the user, determine that the user has not logged in for > 7 days and will lock/disable the account.

The important thing to understand is that the policy evaluation is done when a user tries to log in. There is no continual monitoring of a user.