Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

(info) What are Account Lockouts?

  • Account lockouts happen when a user unsuccessfully attempts to log in 5 or more times consecutively.

  • When a user is locked out. the account lockout lasts for 21 minutes and prevents them from logging in or setting a new password.

  • The account lockout timer does not reset upon another unsuccessful log in attempt nor does the timer extend longer than 21 minutes. Meaning a lockout will always be 21 minutes.

  • Accounts can get locked out repeatedly if there are devices attempting to log into the system. This happens quite a bit to people that have their credentials saved when connecting to the Wi-Fi.

  • Automatically connecting to the university's Wi-Fi (SJSU_Premier and eduroam) is the biggest culprit of a lockout after a password change.

Related Tools

(info) Tutorial

✅ Identify an Account Lockout

 View

Using LDAP, look up the customer and find the lockoutTime variable

There are 3 different states this variable has.

Unspecified: This means that the user has been locked out before but is currently not locked out of their account.

Some specified time: This means that the user was locked out at that specific time and will automatically be unlocked 20 minutes from that time.

The variable does not exist: This means the user is not locked out and has never been locked out.

A lot of the time people will try to change their password when they are locked out

You want to check if their pwdLastSet time is within the lockoutTime variable.

If it is, the user attempted to set a password during their lockout time and will need to set a new password when they are unlocked. This password they attempted to set during their lockout time cannot be used.

🔧 Resolve a Lockout

Add: for lockout of devices, must use HDPR

IF HDPR is not working,

  • customer can try to login (MySJSU) on a different device (phone)

  • OKTA should present option to receive unlock email

  • Once received, customer can unlock account and be able to login to hardware.

 View

There are 3 ways to resolve a lockout

1. Waiting out the lockout time; 21 minutes.

2. Using OKTA Admin to Unlock account (Preferred)

3. If the user is locked out of an SJSU issued computer use HDPR to unlock the users account after verifying their identity.

Note: After consecutive lockouts you may not be able to unlock the user’s account, especially if you already unlocked their account once before very recently.

How to use OKTA Admin for Unlock

For more information on how to use OKTA Admin visit the training page: https://sjsu-its.atlassian.net/wiki/x/BQBgm

Unlock Account

*Unlock Account button only appears when user is locked out

When a user is in Locked Out status, the Unlock Account button appears on their account.

You can either Unlock Account for them or advise the customer to wait 21 mins and the account will unlock automatically.

What is the HDPR Tool?

The HDPR tool, Help Desk Password Reset Tool, is an online tool used to reset passwords and unlock accounts of active SJSUOne account users.
Note: You cannot reset/unlock accounts of users in Information Technology(IT).

When its used:

  • When customers (typically employees) are locked out of an SJSU issued laptop or an office desktop only and are not locked out in OKTA.

    • Typically they will report seeing the error "The reference account is locked" after attempting to login to the computer.

    • You will see the customers lockout time in LDAP but their account will show active in OKTA.

DO NOT USE FOR PASSWORD RESETS

Using the HDPR Tool

 Click here to expand...

  1. Navigate to https://sjsuone.sjsu.edu/HDPR/

  2. Enter YOUR 9 digit employee number and password

  3. Enter the SJSU ID number of the CUSTOMER in the box (please note: hitting the "enter" key on this screen after typing the ID number will sign you out of HDPR)

      

  4. Click "Select" to select the customer

If the customer provided an invalid ID number, or their SJSU ID has expired (it's been more than 24 months since they last attended the school), the search results will look like this:

To set a new temporary password, select "Yes" to set a new temporary password for the user and send/give to the user.
To unlock a user's account, select "Unlock" to unlock the user's account. Double check the lockoutTime variable in LDAP. It should go from a listed time to unspecified.

  • No labels