Unfortunately the "Expire password" feature does not apply to Administrative users, only to regular users. There does not appear to be a way to "expire" the password for Administrative users either from the command line or GUI.
sorry, when i meant admin user i meant a local user (with admin or adminro privs) not the admin account specifically.
Is it possible to expire the password for a regular local user account (not admin account) ?
The admin users (users who can login to the firewall itself) are controlled by the 'cf adminuser' command. These users have an admin or adminro role in that output, or no role at all if they have 'no admin priveleges'.
The users in the 'Users and Usergroups' section can be thought of as 'proxy users' (users who can authenticate to the proxies which support authentication). The admin users are proxy users also. These users can be configured with the 'cf udb' command. These users cannot login to the firewall itself.
I do not see a way with either cf command to expire a password for a user though. You can run 'cf udb add user=username' and that will add a 'proxy user' with no password or authentication method, but I have not tested that to see what it actually does (I imagine that user cannot authenticate through a proxy as they have no auth method).
I tried this also:
cf adminuser modify username=swadmin password='' (no password specified)
but it said you cannot unset a password.
There is a way to make a rule on the firewall so a user can login via a web browser and change their password. This works for both admin users and 'proxy users' I believe (since they both user the Password warder). That is on page 107 of the 70102 Admin Guide (PD21680 in the KB or a Google search). That is not exactly what you asked for but more of an FYI.
I will ask the higher-ups if there is anyway to accomplish what you're asking for (akin to 'User must change password on next login' on Windows systems).