Configure account unlock self-service options

You can enable users to unlock their accounts.

To enable account unlock policies:

  1. Log in to Admin Portal, click Access > Policies tab, and select the policy set.
  2. Click User Security Policies > Self Service.
  3. Select Yes in the Enable account self service controls drop-down.
  4. Enable the Account Unlock option.

  5. Limit who can unlock their accounts.

    • The “Allow for Active Directory users” option enables users with Active Directory accounts to unlock their accounts. If you do not set this option, the “Unlock your account?” link is not displayed in the login prompt for users with Active Directory accounts. If you set this option, then you will need to configure the Active Directory Self Service Settings.
    • The “Only allow from browsers with identity cookie” option restricts account unlock to those users who have already logged in successfully. If this box is not set, anybody can use the account unlock option.

      The Privileged Access Service writes the identity cookie the first time the user logs in successfully. However, when users clear the history on their browsers, it removes this cookie.

  6. Select the authentication profile to specify the authentication mechanism/second-factor authentication users must provide before they can unlock their accounts.

    You can use a default profile, use an existing profile, or create a new one. Users can't use the same factors to unlock the account that they use to login, so make sure the authentication profile used for account unlock has additional factors selected and the user account has the necessary attributes to use them.

    For example, if the user typically logs in with the "Password" and "Email confirmation code" challenges, you could select the "Text message (SMS) confirmation code" challenge in the authentication profile used for self-service account unlock. To pass an SMS challenge, the user account must have a valid value for the "Mobile Number" attribute.

    See Creating authentication profiles for more information.

  7. Configure options for enabling account unlocking for Active Directory users.

    • Select Use connector running on privileged account to run the connector under an account that has the User Account Control permission. Unless you have changed the connector account after you ran the connector installation wizard, the connector is run as a Local System account process. By default, a Local System account does not have the User Account Control permission. See Permissions required for alternate accounts and organizational units to set the permission.

      Optionally, after you select this Use connector running on privileged account setting, you can assign account unlock permission for Active Directory users by creating a security group in Active Directory, give a user or group permission to read and write the LockoutTime attribute for an OU or other container, and add the connector’s computer object(s) to that group.

    • Select Use these credentials and provide the account user name and password to use an account with the required permission to unlock the account. For example, any account in the connector’s Domain Admins group can unlock another user’s Active Directory account.
  8. Click Save.