Users

Lock and delete inactive users

The system can automatically lock and/or delete users if they don’t log in during a specified amount of time. This reduces the risk of inactive or abandoned user accounts being misused, and it can also help clean up unused accounts in user management.

../_images/lock-delete-inactive-users.svg

Last login

User inactive (or unlocked by administrator)

User locked

User deleted

+

Inactive period until lock

The amount of time that has to pass after a user’s last login until the user gets locked.

Lock notice period

The amount of time before a user gets locked during which the user receives a weekly email notification.

Lock period until deletion

The amount of time that has to pass after a user got locked until the user gets permanently deleted.

Lock inactive users

To enable the feature, select the option Lock Inactive Users. Then select the time of inactivity after which inactive users should be locked in Inactive Period Until Locked. If a user doesn’t log into the system within Inactive Period Until Locked, the user account will be locked. Users cannot log in to locked accounts. Instead, an administrator has to unlock locked accounts before they can be used again.

In Lock Notice Period, you can specify the period of time in which a user will be notified in advance of an impending lock before the account is actually locked, giving the user the opportunity to keep the account active by simply logging in. During the Lock Notice Period, the user will receive a weekly email notification that informs about the impending lock.

You can exclude users from the lock policy. Add users to the whitelist by selecting them in the Add User dropdown. This is mainly intended for “system users”, i.e. accounts that are not actively used by individuals, for example for accounts that are used on public displays and should never be locked.

Save your changes by clicking on Save at the top right.

Note

Note that the periods you configure above will start only after the locking feature has been enabled. This means that users who haven’t logged in for a long period of time won’t immediately be locked, but only after the inactive period until lock has passed, starting from when the option Lock Inactive Users was enabled.

Delete inactive users

If user accounts are no longer needed, they should be deleted. The system can automatically delete unused user accounts for you. Unused user accounts are accounts that have been locked for a specific period of time.

To be able to use this feature, Lock Inactive Users has to be enabled according to the description in the section above. To have locked user accounts deleted after a period of time, select the option Delete Inactive Users. Then select the time that users need to be locked before they are deleted in Lock Period Time Until Deletion.

During the Lock Period Until Deletion period, the user will receive a weekly email notification that informs about the impending deletion.

You can exclude users from the deletion policy. Add users to the whitelist by selecting them in the Add User dropdown. This is mainly intended for “system users”, i.e. accounts that are not actively used by individuals, for example for accounts that are used on public displays and should never be deleted.

Save your changes by clicking on Save at the top right.

Note

Note that the period you configure above will start only after the locking feature was been enabled. This means that users who haven’t logged in for a long period of time won’t immediately be deleted, but only after both the inactive period until lock and the lock period until deletion have passed, starting from when the option Lock Inactive Users above was enabled.

Password expiration policy

You can choose whether the passwords of your users should automatically expire after a specific amount of time. Select the desired expiration interval in the dropdown Password Expiration Policy. Users will be prompted by the system to change their password if it is older than the specified period. Note that users won’t be allowed to reuse any of their previous passwords.

You can exclude users from the expiration policy. Add users to the whitelist by selecting them in the Add User dropdown. This is mainly intended for “system users”, i.e. accounts that are not actively used by individuals, for example for accounts that are used on public displays where it would be impractical to renew passwords.

Save your changes by clicking on Save at the top right.

Authentication

If the option Enforce Two-Factor Authentication is disabled, users can decide for themselves whether or not they want to use two-factor authentication, and they can enable or disable it in their own user account at any time. If they opt in, they are prompted to link their login with a two-factor authentication app (which can be either installed on the computer itself or on a mobile device), and they need to enter the one-time password from the authenticator app every time they log in. If the option Enforce Two-Factor Authentication is enabled, however, all users of this client will be asked to configure two-factor authentication on their next login, and they will not be able to log in otherwise.

Save your changes by clicking on Save at the top right.

Warning

Please note that our companion apps for Windows will not work with two-factor authentication at the moment.