Lock user accounts

You can lock users accounts after a number of unsuccessful logons so that someone cannot guess a user name and password combination. When an account is locked with a time period enabled, when the time period expires, a user can log on again with the correct password. However, if an incorrect password is entered another time, the account is locked again after a single attempt. If the account is locked and a user attempts to log on during the lockout period, the expiry time starts from the last attempt. Even when the attempt was made during a locked out phase. This is for security reasons, so that an administrator can see whether an attempt is being made to hack an account. The failed count is increasing and the last time of failure recorded. You can use the following properties to lock user accounts, set a period for the lock and specify computers that the locked account can be used on.
account.lockout= 
Modifiable field account.lockout
Field Description Lock a user account after a consecutive number of failed logons. Set to 0 to disable the function. The default value is 0.
Possible Values User defined.
Value Definition User-defined integer.
account.lockout.timeout= 
Modifiable field account.lockout.timeout
Field Description If user account is locked due to consecutive failed logons, re-enable the account after this time. The period can be MIN,HOUR,DAY,MONTH.
Note: This property is valid only when account.lockout is enabled.
Possible Values User-defined
Value Definition User-defined. MIN,HOUR,DAY,MONTH. For example, set to 5MIN means that the account is locked for 5 minutes. Set to 2DAY, means that the account is locked for 2 days.
Note: If left blank the account is locked until manually set.
account.lockout.allowlogonfrom= 
Modifiable field account.lockout.allowlogonfrom
Field Description You can use this property to allow users to log on from this host even if their account is locked due to consecutive failed logons. If your account is locked, you can log on to the BigFix® Remote Control Server from the computer or computers whose IP addresses are listed here.For example : 192.0.2.1;192.0.2.2;
Note: You must end each host name with a semi-colon.
Possible Values User-defined
Value Definition User-defined semi-colon separated list of IP addresses that ends with a semi-colon.
Examples of usage:
Example 1:

account.lockout = 0.

account.lockout.timeout = X.

The account is not locked after unsuccessful logon attempts because account.lockout=0.

Example 2:

account.lockout = 3.

account.lockout.timeout =

After three successive failed logons for an account, the account is locked, and requires a reset. The reset can be made by an administrator account by editing the database or by using the server UI. This reset is a manual reset because account.lockout.timeout is not assigned a value.

Example 3:

account.lockout = 3.

account.lockout.timeout = 1HOUR .

After three successive failed logons for an account, the account is locked for a duration of 1hour. However, it can be reset in the database or the serverUI by using an administrator account.

Example 4:

account.lockout = 3

account.lockout.timeout =

account.lockout.allowlogonfrom=1.1.1.1;

After three successive failed logons for an account, the account is locked, and requires a reset in the database or the server UI by using an administrator account. The user can also log on from a computer with the IP address set in account.lockout.allowlogonfrom and the lockout is ignored.

When a user account is locked, you can unlock the account by using the Unlock locked userid menu item. For more information, see Unlocking user accounts.

When a user uses the forgotten password option on the logon page, a password is emailed to the registered user for the account. However, if the account is locked, it remains locked as a security precaution so that an attacker cannot have unlimited attempts to guess a password. You can use the property account.lockout.reset.onemailpassword to automatically unlock an account in this scenario.

account.lockout.reset.on.emailpassword= 
Modifiable field account.lockout.reset.on.emailpassword
Field Description Determines whether a locked account is reset when the user selects the forgotten password check box on the logon screen.
Possible Values True / False
Value Definition
True
The locked account is reset when the password reset email is received from the administrator.
False
The locked account is not reset when the forgotten password request is received
Note: This property works with the forgotten password feature, therefore, email must be enabled in the system.