Account Management Policy Explained

Account management policy plays a crucial role in network security. If a hacker compromises an account, it doesn’t matter what authentication protocol or server you’re using; he will get the rights the account has. A solid account policy can protect the network from unauthorized access.

An account management policy includes the following elements.

  • Disabling account
  • Account expiry
  • Account lockout threshold
  • Account lockout duration
  • Reset account lockout counter after

Let us understand these elements in detail.

Disabling account

When a user leaves your organization or company, you can take the following three actions on his account:

  1. Keep the account intact
  2. Delete the account
  3. Disable the account

The first option is the worst choice. It allows the user to access your network even if he has left the job. Administrators never use this option.

The second option is a double-edged sword. If you use this option, you will eliminate all possibilities of unauthorized access using this account. But it will also eliminate the chance of getting the same account again.

Operating systems and applications assign a unique user ID to each user account. They use it to track and monitor all user activity. All security policies use it to allow or deny permission on network resources.

If you create the same user account again, the new user account will get a new user ID. Operating systems and applications will treat it as a new user. Do not use this option if you have a single chance of using this account again. There is no way to recover a deleted account. Use this option only if you are one hundred percent sure that you will never use this account again.

The third option is the best choice. When you disable an account, it still exists, but the user cannot use it to log in. It allows you to reactivate the account whenever you need it again. For example, you hire a new user in the place of the user who has left the job. You can use the existing account for the new user. You can update all details of an account except the user ID. Since the new user will use the same user ID, he will get all the permissions the previous user had. Another good time to use this option is when a user takes a long leave. You can enable the account when the user returns to the job.

Account expiry

This element defines an expiry time for the account. The account automatically expires on the defined time. The feature is useful when you hire temporary users. Since you know how long the user will work for you, you can set the user’s account to expire on their expected last day of the job.

Account lockout threshold

This element defines the number of bad login attempts the system or application will tolerate before it locks the account. For example, if you set the value of this option to 3, the user has only three chances to enter the correct username and password. After three attempts, the application will lock the user account.

Reset the account lockout threshold counter

This element specifies a time after that the fail logon threshold resets back to zero. For example, if you set it to fifteen minutes, the account lockout threshold counter will reset to zero after a failed login attempt.

Account lockout duration

This element defines the account lockout duration. You can define this duration in the number of minutes or set it to zero. A zero value means the account will be locked until an administrator unlocks it.


Account management policy defines the elements administrators use to secure accounts on applications and operating systems. Learning these elements is essential for effective network or system management.

ComputerNetworkingNotes CCNA Study Guide Account Management Policy Explained