Modify Account Policy Settings

Use
Account Policy Settings
 to change these security policy properties:
  • Logon session lease
  • Account lockout threshold
  • Account lockout auto reset
  • Keep record of deleted accounts
  • Show deleted accounts in user list
  • Account synchronization interval
To modify Account Policy Settings
  1. In
    FactoryTalk Administration Console
    Explorer
    , expand
    System > Policies > System Policies
    .
  2. Right-click
    Security Policy
    and select
    Properties
    .
  3. In
    Security Policy Properties
    , select
    +
     to expand
    Account Policy Settings
    .
  4. To set the maximum number of hours that a user can remain logged on before the system checks whether the user’s account is still valid, select
    Logon session lease
    , and type a value from 0-999. Setting this value to 0 allows the logon session to be used indefinitely, allowing users to have continuous access, even if their accounts are disabled or deleted.
  5. To set the number of consecutive times a user can unsuccessfully attempt to log on before the account is locked, double-click
    Account lockout threshold
    , and type a value from 0-999. If set to 0, accounts are never locked no matter how many consecutive times a user attempts to log on. An invalid logon attempt occurs if the user attempts to log on and specifies a correct username but an incorrect password.
    A locked account cannot be used until the
    Account lockout auto reset
    period expires, or until the account is reset by a
    FactoryTalk
     administrator. This helps prevent an unauthorized user from gaining access to the system by guessing a password through a process of elimination.
  6. To specify the amount of time that must expire before a locked account is reset and the user can attempt access again, select
    Account lockout auto reset
     and type a value between 0 and 999 minutes.
  7. To determine if the system maintains a record of deleted user accounts, select
    Keep record of deleted accounts
    , and select one:
    • Enabled
      —Accounts are permanently disabled but remain flagged in the system with a unique identifier. New accounts must have unique names. For security, audit tracking, and compliance requirements, it may be necessary to keep a record of deleted accounts.
    • Disabled
      —Accounts are fully deleted from the system, allowing new accounts to use the same name. However, the new accounts have different account identifiers and do not inherit the security settings of the account.
  8. If deleted account records are kept, choose whether or not to list deleted account records in the
    Users
     folder in the
    System
    tree. Select
    Show deleted accounts in user list
    , and select one:
    • Enabled
      —Administrators can view details about these deleted user accounts
    • Disabled
      —Deleted accounts are not shown in the list of user accounts
  9. To set the interval for synchronizing windows-linked account information with Windows Active Directory (Windows AD), select
    Account synchronization interval
    , and then select a value from 1 through 60 minutes.
  10. When finished modifying Account Policy Settings, select
    OK
    .
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal