| rest /services/authentication/users splunk_server=local 
|fields title, roles, email
| rename title as user
| eval roles=if(roles="admin","admin","")
| eval action="need to reset password"
|join type=left user [|search index=_audit (action="password change" NOT user=index-manager) 
                      |join user [| rest /services/authentication/users splunk_server=local 
                                  |fields title, roles, email
                                  | rename title as user
                                  | eval roles=if(roles="admin","admin","")
                                  ]
                      |eval timestamp= strptime(timestamp,"%m-%d-%Y") 
                      |eval check_time=if(roles="admin",relative_time(timestamp,"+30d@d"), relative_time(timestamp,"+90d@d"))
                      |eval action=if(action="password change",if(check_time < now(),"need to reset password","password change 
                                                 successful"), "need to reset password")
                      |convert ctime(*time*) 
                      ]  |table user,email,roles, timestamp, check_time, action

This is my final query it doesn't need a lookup and its not dependent on a lookup that I have to manually update every month or so