Account Policy Settings

Sets the maximum number of hours that a user can remain logged on before the system checks whether the user’s account is still valid. Use this setting to prevent logged on users from retaining access indefinitely, even after their accounts are disabled or deleted.

For example, if a user's account is disabled or its password changed, and the account name and password cannot be reauthenticated, the logon session becomes invalid. The user can no longer access secure system resources until the user logs on successfully again.

Setting this value to

0

allows the logon session to be used indefinitely, allowing users to have continuous access, and preventing the system from automatically reauthenticating users. This means that the system does not check whether the user’s account is still valid.

Minimum:

0 hours

Maximum:

999 hours

Default:

1 hour

Sets the number of consecutive failed log-on attempts that will cause an account to be locked. If set to

0

, accounts are never locked.

An invalid logon attempt occurs if the user attempts to log on and specifies a correct user name but an incorrect password.

A locked account cannot be used until the

Account lockout auto reset

period expires, or until the account is reset by a

FactoryTalk

administrator. This helps prevent an unauthorized user from gaining access to the system by guessing a password using a process of elimination.

Minimum:

0 invalid logon attempts

Maximum:

999 invalid logon attempts

Defaults

:

Specifies the amount of time that must expire before a locked account is reset, allowing the user to attempt access again. Type a value between 0 and 999 minutes to specify the amount of time a user must wait before using the account again to gain access to the system.

If set to

0

, locked accounts are not reset automatically. A

FactoryTalk

administrator and must unlock the account manually.

Minimum:

0 minutes

Maximum:

999 minutes

Default:

15 minutes

Determines whether user accounts can be permanently deleted with no record retained in the system, or flagged as deleted and be permanently disabled, with a record of the deleted account retained in the system.

To keep a record of accounts that were deleted, and force all new accounts to be unique, select

Enabled

. Also, change a policy setting to show deleted accounts in the list of users.

To discard accounts when they are deleted, select

Disabled

. This means that if a user account is deleted, a user account can be recreated again later with the same user name. If the policy is enabled and a user account is deleted, a user account cannot be recreated again later with the same user name, because its record still exists in the system.

If the policy is disabled and user account with the same name is recreated, the new user account does not inherit the security settings of the old account. The reason is that all user accounts are identified by means of a unique identifier that is separate from the user name. When deleting a user account, the user's access rights are deleted, but the user account's unique identifier is not deleted.

When creating another user account with the same name, recreate the security settings of the account. Add the user account to a group that already has security settings defined or create permissions for a user account when securing a resource.

For security and audit tracking reasons, and to satisfy compliance requirements in regulated manufacturing industries, it might be necessary to:

Keep a record of previously deleted accounts

Ensure that all user accounts can be uniquely identified in the system

Default:

Disabled

Sets whether deleted account records are listed in the

Users

folder in the

System

tree. This policy works together with the

Keep record of deleted accounts

policy. If

Keep record of deleted accounts

is enabled, enabling

Show deleted accounts in user list

allows a

FactoryTalk

administrator to view details about accounts that were deleted.

To hide deleted accounts in the list of users, select

Disabled

. This means that accounts that are deleted are not shown in the list of user accounts, even if keeping a record of deleted accounts. Enable the

Show deleted accounts in user list

policy to keep a record of deleted accounts (for example, for regulatory compliance), and to view details about accounts that were deleted.

Default:

Disabled

Sets the interval for synchronizing Windows-linked account information with Windows AD. The system will synchronize the latest cached Windows-linked account information when receiving the data request from Windows AD to shorten the response time.

Minimum:

1 minute

Maximum:

60 minutes

Default:

15 minutes