What are Account Lockouts?

Account lockouts happen when a user unsuccessfully attempts to log in 5 or more times consecutively.
When a user is locked out. the account lockout lasts for 21 minutes and prevents them from logging in or setting a new password.
The account lockout timer does not reset upon another unsuccessful log in attempt nor does the timer extend longer than 21 minutes. Meaning a lockout will always be 21 minutes.
Accounts can get locked out repeatedly if there are devices attempting to log into the system. This happens quite a bit to people that have their credentials saved when connecting to the Wi-Fi.
Automatically connecting to the university's Wi-Fi (SJSU_Premier and eduroam) is the biggest culprit of a lockout after a password change.

Related Tools

Tutorial

✅ Identify an Account Lockout

View

Using LDAP, look up the customer and find the lockoutTime variable

There are 3 different states this variable has.

Unspecified: This means that the user has been locked out before but is currently not locked out of their account.

Some specified time: This means that the user was locked out at that specific time and will automatically be unlocked 20 minutes from that time.

The variable does not exist: This means the user is not locked out and has never been locked out.

A lot of the time people will try to change their password when they are locked out

You want to check if their pwdLastSet time is within the lockoutTime variable.

If it is, the user attempted to set a password during their lockout time and will need to set a new password when they are unlocked. This password they attempted to set during their lockout time cannot be used.

🔧 Resolve a Lockout

For lockout of devices, must use HDPR

IF HDPR is not working,

customer can try to login (MySJSU) on a different device (phone)
OKTA should present option to receive unlock email
Once received, customer can unlock account and be able to login to hardware.

View

There are 3 ways to resolve a lockout

1. Waiting out the lockout time; 21 minutes.

2. Using OKTA Admin to Unlock account (Preferred)

3. If the user is locked out of an SJSU issued computer use HDPR to unlock the users account after verifying their identity.

Note: After consecutive lockouts you may not be able to unlock the user’s account, especially if you already unlocked their account once before very recently.

How to use OKTA Admin for Unlock

For more information on how to use OKTA Admin visit the training page: https://sjsu-its.atlassian.net/wiki/x/BQBgm

Unlock Account

*Unlock Account button only appears when user is locked out

When a user is in Locked Out status, the Unlock Account button appears on their account.

You can either Unlock Account for them or advise the customer to wait 21 mins and the account will unlock automatically.

What is the HDPR Tool?

The HDPR tool, Help Desk Password Reset Tool, is an online tool used to reset passwords and unlock accounts of active SJSUOne account users.
Note: You cannot reset/unlock accounts of users in Information Technology(IT).

When its used:

When customers (typically employees) are locked out of an SJSU issued laptop or an office desktop only and are not locked out in OKTA.
- Typically they will report seeing the error "The reference account is locked" after attempting to login to the computer.
- You will see the customers lockout time in LDAP but their account will show active in OKTA.

DO NOT USE FOR PASSWORD RESETS

Using the HDPR Tool

Navigate to https://sjsuone.sjsu.edu/HDPR/
Enter YOUR 9 digit ID number and password
Enter the SJSU ID number of the CUSTOMER in the box (please note: hitting the "enter" key on this screen after typing the ID number will sign you out of HDPR)
Click "Select" to select the customer
To unlock the user's account, select Unlock. Double check the lockoutTime variable in LDAP. It should go from a listed time to unspecified.

Unlock Account TR