Have You Seen Workflow Lately? Click here to check out all the new features in the latest version.

Supercharge your GE solution! Download a free trial of Proficy Operations Hub, CSense analytics, and more. Learn more about the Proficy 2024 releases, by signing up for one of our upcoming events.

Home
Security
Domain-Based Security
Windows Domain-Based Security
You can use Windows domain user accounts to manage access to and within Workflow. You can also configure domain user accounts for automatic login on either a global basis or for individual computers.
Configuring Domain-Based Access Control to Workflow Functionality
You can use active directory universal or global groups to control access to Workflow functionality.
Limit the number of invalid login attempts
When a Workflow user is connected to a Windows domain user account, you can set an account lockout threshold, which prevents a user from accessing the account after he enters the incorrect user name or password beyond the number of acceptable times. When the account lockout threshold has been reached, the account is disabled.

Workflow Products Documentation

Security
- Security Overview
- Users and Groups
- Domain-Based Security
  - Windows Domain-Based Security
    You can use Windows domain user accounts to manage access to and within Workflow. You can also configure domain user accounts for automatic login on either a global basis or for individual computers.
    - Windows Domain Users Logging into Workflow
      If you are using Windows user names and passwords within Workflow security, be aware that Windows user accounts must have the policy Access this computer from the network applied under the local security policy. By default, this policy is assigned to the groups Users and Everyone on the local machine.
    - Authenticate Windows Domain Users for Vision Calls
      Vision uses a token to make a secure call. For Windows authentication, the Proficy STS service needs to query the domain controller to retrieve groups that the user belongs to. This group information is used to validate the Windows user.
    - Password Expiration Considerations
      When Workflow security is synchronized with Windows security, passwords can expire.
    - Configuring Domain-Based Access Control to Workflow Functionality
      You can use active directory universal or global groups to control access to Workflow functionality.
      - Assigning operating system rights to Windows domain user accounts
        When you use Windows security in Workflow, user accounts that need to log in to a machine must have the Act as Part of the Operating System right enabled in the local security policy.
      - Set Windows passwords to expire
        One of the benefits of using Workflow with Windows security is that you can set Windows passwords to expire.
      - Limit the number of invalid login attempts
        When a Workflow user is connected to a Windows domain user account, you can set an account lockout threshold, which prevents a user from accessing the account after he enters the incorrect user name or password beyond the number of acceptable times. When the account lockout threshold has been reached, the account is disabled.
      - Associate Active Directory universal or global groups with Workflow groups
        Domain users are Windows users who are members of one or more Windows domain groups.
      - Automatically create Workflow user accounts for Windows domain user accounts
        You can automatically create a Workflow user when a Windows domain user logs into Workflow client for the first time.
      - Manually add a Windows domain user to Workflow
        You can use Windows domain user accounts to manage access to and within Workflow.
      - Convert between Windows domain and Workflow users
        Beginning with Workflow version 2.2, you can convert Workflow users to domain users, and vice versa, by either adding the applicable domain designation to the user's name or removing the designation from the name, respectively.
      - Active Directory Groups and Domain Users
        The Domain Users tab displays the list of active directory universal or global groups and Windows domain users who are members of those groups. You can map additional active directory groups to the current Workflow group or remove mapped active directory groups.
    - Key Sets
      Key sets are groups of permissions, based on areas of operation within your facility, that define the operations a group of users can perform.
    - Login and Logout Capabilities
      Workflow access can be configured in multiple ways. You can configure automatic login and logout on individual computers, on all computers in your system, or on a subset of computers in your system. You can also retain manual login and logout on a global basis or on specific computers.
    - Workflow User Password Security
      Administrator users have the ability to make changes to the security settings in Workflow, including configuring lockout thresholds, re-enabling locked out user accounts, configuring password complexity, and determining whether or not users can change their passwords.

Limit the number of invalid login attempts

When a Workflow user is connected to a Windows domain user account, you can set an account lockout threshold, which prevents a user from accessing the account after he enters the incorrect user name or password beyond the number of acceptable times. When the account lockout threshold has been reached, the account is disabled.

Procedure

From the Start menu, click Control Panel > Administrative Tools.
Double-click Local Security Policy.
The Local Security Policy dialog box appears.
Expand the Account Policies folder.
Select the Account Lockout Policy folder.
The account lockout policies display in the Policy list.
Double-click Account Lockout Threshold.
The Account lockout threshold Properties dialog box appears.
In the Account will not lock out field, enter the number of invalid login attempts before the account is disabled.
Click OK.