Disabled, locked, and deleted accounts

Enable, disable, or delete user accounts and

Windows

-linked user accounts. A security policy determines whether deleted accounts are visible in the user list. An account can lock if a user types the wrong password to the account more than a certain number of times when logging on. Locked accounts are usually reset automatically after a certain amount of time elapses, but can be reset manually.

To change the status of an account, configure these account properties and system policy settings.

Disabled accounts

When a user account is disabled, the account is still present, but cannot be used to access the system. A system administrator can manually disable an account, or an account can become disabled past an expiration date, defined as part of system policy settings.

You cannot disable or enable

Windows

-linked user accounts using

FactoryTalk Administration Console

. Disable or enable

Windows

-linked user accounts in

Windows

.

If a user account is disabled, it remains disabled until a system administrator enables the account manually.

Locked accounts

An account can lock if a user types the wrong password to the account more than a certain number of times when logging on. Locked accounts are usually reset automatically after a certain amount of time elapses but can also be reset manually.

For

Windows

-linked accounts, when this happens depends on the

Account lockout duration policy

in

Windows

.

For

FactoryTalk

accounts, when this happens depends on the security policies

Account lockout threshold

and

Account lockout auto reset

.

Deleted accounts

The Security Policy

Keep record of deleted accounts

determines whether an account is completely removed from the system when deleted, or if the account is retained in the system and marked as "deleted." By default, deleted accounts are completely removed from the system, with no record maintained, other than in existing audit trails. If

Keep record of deleted accounts

policy is enabled, when a user account is deleted, it is still present in the system for tracking purposes. The account cannot be enabled or reused. Once an account is deleted, it cannot be undeleted.

If your manufacturing facility is

not

subject to governmental regulations such as those of US Government 21 CFR Part 11, leave the

Keep record of deleted accounts

policy in its default, disabled state. This allows you to create a user account with the identical name as a deleted account. However, the new user account will not automatically have access to the same resources that the old one did. You will need to recreate the security settings for the user account.

If your facility is subject to 21 CFR Part 11 regulations, you should enable the

Keep record of deleted accounts

policy setting. In this case, once a user account is deleted, it cannot be recreated using the same name. To reinstate a user whose account has been deleted (but is still retained for tracking purposes), the system administrator must create an entirely new account with a different account name. For example, suppose employee John Doe Smith leaves the company and his user account "jdsmith" is deleted. Later, John Doe Smith is rehired. Because the system policy is set to retain a history of deleted accounts, the system administrator cannot create a new account named "jdsmith." Instead, the administrator must create a new account with a different name that still points unambiguously to the same user. For example, the administrator might create a new account named "jdsmith2."

Because audit records must be unambiguous, all user accounts are identified by means of a unique identifier that is separate from the user name. When you delete a user account, the user's access rights are deleted, but the user account's unique identifier is not deleted. Then, if the employee leaves the company and returns in the future, the account information included in audit trails will continue to uniquely identify that same user, even when a new account with a different name is created.