The default password expiry for vSphere Single-Sign On (SSO) users within the vCenter Server Appliance (VCSA) is 90 days and this of course be changed to match your organizations policy. Although the vSphere UI can remind you right before your password expires, you may want to manually check or proactively inventory this information periodically.
To do so, you will need to SSH to the VCSA and use the dir-cli command with --level 2 option to get additional details for a given vSphere SSO user as shown in the example below:
/usr/lib/vmware-vmafd/bin/dir-cli user find-by-name --account william --level 2
Account: william
UPN: william[a]VSPHERE.LOCAL
Account disabled: FALSE
Account locked: FALSE
Password never expires: FALSE
Password expired: FALSE
Password expiry: 8916 day(s) 2 hour(s) 39 minute(s) 30 second(s)
In this particular environment, I have the vSphere SSO password expiry configured to 9000 days and as we can see for this user, there is ~8916 days left before the password expires.
For those looking to automate this, it looks like this is currently only possible using dir-cli but I have submitted a feature request to the recently released PowerCLI vSphere SSO Module to see if this information can also be included in the Get-SsoPersonUser cmdlet. If you need to retrieve the current configured vSphere SSO password expiry, you can use ldapsearch command within the VCSA or the Get-SsoPasswordPolicy cmdlet.
Sravan Gannarapu says
this article helped me to check the sso user password expiry status, is there any possibility to view the current password for the sso user.
Praveen Rao says
Hi Liam,
I would need a command to fetch the Local accounts with below details.
last login, last password change and password expiration date data at VCSA level.