1) If we have to apply password expiry policy on all users ; I think its done in /etc/login.defs by changing parameters like PASS_MAX_DAYS etc.
Does that policy only apply to users created after this change in the /etc/login.defs file ? I assume so.
2)if the change in /etc/login.defs only apply to new users(created after change) , do we have to manually set the policy for existing users individually by "passwd" or chage ? (vipw -s is not reccomended i suppose)
You are correct, Changing the password policy only affects the users created after the change. To change the existing users you would need to run the ' chage ' command on each user. While you could do this in a loop in bash there is not a reliable way to ensure that you are only affecting the 'user' accounts and not affecting service accounts.