I'm trying to configure users password policy on RHEL 6.6 and I want system to ask newly created users to change initial password on first login.

Note, that I tried to set EXPIRE variable to 0 and INACTIVE to -1 in /etc/default/useradd, but it leads to new user account expiration after creation. Output of chage command after user creation with these variables is:

 # chage -l foo
 Last password change                                : Feb 22, 2015
 Password expires                                    : May 23, 2015
 Password inactive                                   : never
 Account expires                                     : Feb 22, 2015
 Minimum number of days between password change      : 1
 Maximum number of days between password change      : 90
 Number of days of warning before password expires   : 7

When I try to login under foo user, message "Your account has expired. Please contact your system administrator" is shown.

But if I open 'User Properties' window, select 'Password Info' tab and check 'Force password change on next login', the result will be what I expect. New user will be asked to change password. Output of chage command in this case will be:

 # chage -l foo2
 Last password change                                : password must be changed
 Password expires                                    : password must be changed
 Password inactive                                   : password must be changed
 Account expires                                     : never
 Minimum number of days between password change      : 1
 Maximum number of days between password change      : 90
 Number of days of warning before password expires   : 7

When I login under foo2 user, system asks me to change password.

So, is there any way to configure system to set user account parameters on creation as in second case?

Upd

 cat /etc/default/useradd
 # useradd defaults file
 GROUP=100
 HOME=/home
 INACTIVE=-1
 EXPIRE=0
 SHELL=/bin/bash
 SKEL=/etc/skel
 CREATE_MAIL_SPOOL=yes

Even if I comment INACTIVE or set it to positive value, account is expired, but not a password.

Also, I configured PAM on machine.

Upd 2

I checked this on machine with RHEL 6.2 and without PAM configuration. Effect is the same.

Since you're asking about RHEL6, I looked at the source code for useradd (which is delivered as part of the 'shadow' package). In useradd.c is a function called new_spent where it sets up a new shadow password entry. There it addresses the "expired password on creation" issue this way:

if (0 == spent->sp_lstchg) {
/* Better disable aging than requiring a password change */
spent->sp_lstchg = -1;

Soooo... If you set a zero it makes it a -1.

The authors of the program have coded specifically against setting the aging to 0 so it won't matter if you set it to 0 in the /etc/default/useradd parameter for EXPIRE. (If it was me doing that code I would have looked to see if the user was setting the password in the command and then allowing the expire, but it wasn't me...)

Also, it was suggested above that you could place a script into /usr/local/sbin/adduser.local to do a 'chage' command. This was good advice for a Debian/Ubuntu system where useradd is a perl script which does indeed run that file if it finds it, but on RHEL the useradd command is a C binary.

If I was you and I was determined to get that behavior on the RHEL6 useradd I'd get the SRPM for the shadow package, comment out those lines above and do an rpmbuild on the package and rockaway. Winning!

Why not add this to a script?

passwd -e username

If all you're after is the first login, this will work. The -e expires the account password immediately, so the next login the user is forced to update their password? (see man passwd)