Previous TopicNext Topic

Block Users

For improved security, ADSelfService Plus allows administrators to block users who fail to verify their identity. When there are too many unsuccessful identity verification attempts, administrators can block the user's account indefinitely or for a set amount of time.

How to block users

Log in to ADSelfService Plus with admin credentials, and navigate to Configuration > Self-service > Policy Configuration. From the list of configured policies, click the Advanced [] icon of the policy for which you want to configure user blocking. In the pop-up that is displayed, navigate to Block User.

1. In the Block Users Who Fail Identity Verification section, specify the maximum number of invalid attempts allowed within a set time interval. Use the Allow a maximum of __ invalid attempts within __ mins option to define the limit after which the user will be blocked.
Note: Each identity verification attempt failure, whether during password entry, backup code entry, OTP submission (including during the enrollment process), or MFA verification, will count toward the maximum verification attempts limit before the account is blocked. Blocked users cannot reset passwords, unlock accounts, or log in to applications or endpoint devices.

MFA failures while using Duo Security or Smart Card Authentication will not be counted towards identity verification failures, as those authenticators have their own blocking mechanisms.
2. Using the Block users for a period of __ min option, specify:
1. The number of minutes for which the user will remain blocked.
Example: For instance, say you have set the maximum invalid attempts to be five, defined the time interval as 10 minutes, and specified the period for which the user will remain blocked as 30 minutes. This means that when users fail to verify their identity five times in a 10-minute interval, they will be blocked for 30 minutes.
2. Choose Forever (until unblocked by admin) to configure user accounts to remain blocked until manually unblocked by an admin.

Users who are blocked while trying to access applications or endpoints, or while performing self-service password resets or account unlocks, will be restricted from accessing every endpoint protected by ADSelfService Plus until their account is unblocked.

How to restrict users' self-service actions

To prevent brute-force attacks and minimize the likelihood of unauthorized access, admins can also restrict the self-service actions performed by users to a certain number of times within a certain number of days.

• Use the Allow users to reset passwords only __ times in __ days option to configure the number of times users can reset their passwords in a specific number of days.
• Use the Allow users to unblock accounts only __ times in __ days option to configure the number of times users can unlock their accounts in a specific number of days.
• Select OK.

Auditing blocked users

Admins can audit and view the list of currently blocked users as well as the list of previously blocked users from the Blocked Users Report.

How to unblock users

To unblock users,

1. Log in to ADSelfService Plus with admin credentials, and navigate to Reports > Password Self-Service Reports > Blocked Users Report.



2. Select the relevant policy and click Generate to get the list of users who have been blocked from accessing ADSelfService Plus.
3. Select the users you want to unblock from the list of blocked users. Click Unblock, and then click OK.

Previous TopicNext Topic