2 |
3 |
Click to select the Policies container. |
• |
• |
Account tab Allows you to configure the Defender Security Policy settings related to the lockout of user accounts. |
• |
• |
Logon Hours tab Allows you to configure a time slot when authentication via Defender is permitted or denied to the user. |
• |
SMS Token tab Allows you to configure settings for sending SMS messages containing one-time passwords to users’ SMS-capable devices. |
• |
E-mail Token tab Allows you to configure settings for sending e-mail messages containing one-time passwords to the users. |
• |
GrIDsure Token tab Allows you to enable the use of GrIDsure Personal Identification Pattern (PIP) for authentication via Defender. |
6 |
When you are finished, click OK to apply your changes. |
• |
Description View or change the Defender Security Policy description. |
• |
Use Select a primary authentication method for the Defender Security Policy. An authentication method determines the credentials that the user must enter when authenticating. For available authentication methods and their descriptions, see New Object - Defender Policy Wizard reference. |
• |
Followed By Select an additional authentication method for the Defender Security Policy. To disable the use of additional authentication method, select None. |
• |
Enable Account Lockout Select this check box to enable the user’s Defender account lockout after the number of violations (unsuccessful logon attempts) specified in the Lockout after n violations option. Clear this check box to disable account lockout. |
• |
Lockout Windows account after indicated violations Select this check box to lock out the user’s Windows account after the user has exceeded the specified number of unsuccessful logon attempts. This option requires the Windows account lockout option to be enabled in Domain Security Policy or Domain Controller Security Policy. If the Windows account is locked, the user is unable to logon to their Windows account locally or remotely via Defender. |
• |
Locked accounts must be unlocked by an administrator Specifies that locked accounts can only be unlocked by an administrator. Use the Lockout duration option to set the lockout duration in minutes. The lockout duration period is counted from the moment of most recent logon attempt. That is, if the user attempts to logon while the account is still locked, the lockout duration is recalculated from the moment of that attempt. If you set the Lockout duration value to 0, the locked user accounts can only be unlocked by an administrator. |
• |
Automatically reset account after successful login Resets the count of unsuccessful logon attempts to 0 after the user successfully logs on. |
• |
Enable Defender Password Expiry Causes the Defender password to expire after the number of days specified in the Expire after option. |
• |
Enable PIN Expiry Causes the token PIN to expire after the number of days specified in the Expire after option. |
• |
Allow authentication with expired Active Directory password Enables the user to authenticate via Defender even if the user’s Active Directory password has expired. This option only has effect if the authentication method selected for the user is Active Directory password or Token with Active Directory password. |
• |
Allow expired Active Directory password to be changed Enables the user to change an expired Active Directory password. This setting can only be used if the method used by the user to communicate with Defender also supports the password change option. |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy