User Password & Lockout Policy
Craig Medland avatar
Written by Craig Medland
Updated over a week ago

itopia CAS helps customers implement a secure and compliant network environment by requiring all users to use strong passwords, which have at least eight characters and include a combination of letters, numbers, and symbols. These passwords help prevent the compromise of user accounts and administrative accounts by unauthorized users who use manual methods or automated tools to guess weak passwords. Strong passwords that are changed regularly reduce the likelihood of a successful password attack.

Our default requirements for creating end user and administrator passwords:

Password complexity: 1 or more upper case letters, 1 or more lower case letters, 1 or more numbers or special characters and 8 or more characters in length. The password cannot contain user's first name, last name nor username.

Allowed characters: A-Z, a-z, 0-9, @, #, %, ^, &, =, +, >, <, |, !

The system forces users to change their passwords every 42 days. They need to change it to one that meets the above conditions and that wasn't used before (the system remembers 24 historic passwords).

The default policy for lockouts is set to 0, meaning that users don't get locked out when putting an incorrect password.

The default policy can be changed for the clients from Primary Domain Controller (PDC) server. Best practice is to create new policy matching your requirements instead of changing the default one. The new one will then be applied over the default policy and if anything's not working with the new policy for you, you can just revert back to the default one. If you need help, simply email

How can users change their passwords?
When logged into their Cloud Desktop, users simply hold Ctrl+Alt+End at the same time. On a MAC, the equivalent shortcut is: Control + Fn + Delete (Ctrl + Option + Fn +Delete).

โ€‹Default policy in place on the domain requires a password to be at least 1 day old before being allowed to change it. Check the image below:

If you modify that policy and change the 1 day to 0, users should be able to change passwords whenever they want.

Password Expiration Policy

Users get a small notification in their remote desktop session bottom eight corner before their password expires.

The default password expiration policy including the notification period can be found in the default group policy. The settings can be changed to your preference in Active Directory or you can mark the passwords to never expire from CAS accessing User settings.

Password Age

The default policy sets the minimum password age to 1 day. That means that the end user will not be able to reset their password more than once a day unless the default policy is changed to 0. The default maximum password age is 42 days.

Did this answer your question?