skip to main content

Identity Services

Admin Account Management

Admin Account Usage

Administrator (Admin) Accounts are used by university IT personnel to separate their administrator privileges from their personal NetID account usage. An Admin Account is linked to one NetID account holder and only that individual is authorized to use the Admin Account to access systems.

Usage of the account is up to the department/service owner. Sudo privileges is an example of privileges that should be restricted to Admin Accounts.

By default, an Admin Account must have Two-Factor Authentication set up.

Requesting an Admin Account

Texas A&M IT personnel can request ad Admin Accounts by completing and submitting the request form:

Please specify that an Admin Account is being requested in the section where the purpose of the account is listed.

Admin Account Lifecycle

Creation

An Admin Account is created once the account request has been reviewed and approved. The requestor will be notified once the account has been set up and is ready for use.

Management/Usage

NetID account holders manage their Admin accounts via the Proxy Account Management application. This application allows the account holder to edit account settings or change the password for the account.

Renewal

Since Admin Accounts are tied to an individual, they do not require annual confirmation.

Deletion

Admin Accounts are deleted when the individual's personal NetID account is deleted.

Admin Account Password Management

Management of an Admin Account password encompasses a number of practices. The table and comments below describe the default password management practices for these accounts. An Admin Account must be set up with two-factor authentication.

Texas A&M Admin Account Default Password Management Practices
Minimum length of password 16
Maximum length of password 128
Password is character checked Yes
Maximum age of password (in days) 1461
Days of daily expiration warnings Once per week for 3 weeks.
Password minimum age for reset (in days) 0
Password uniqueness/history 6
Failed attempts before lockout (CAS) 7
Lockout duration in minutes (CAS) 15
Failed attempts before lockout (Duo Two-Factor) 7
Lockout duration in minutes (Duo Two-Factor) 15
  • Each attempt to change a password is checked to ensure that the new password conforms to the character requirements.
    • A password must contain at least one (1) lowercase letter.
    • A password must contain at least one (1) uppercase letter.
    • A password must contain at least one (1) non-alphabetic symbol.
    • A password must contain only the following characters: a-z, A-Z, 0-9, `~!@#$%^&*()-_=+[{]}\|:;',<.>?/
    • A password may not contain words found in a dictionary.
    • A password may not contain the account login identifier.
  • Passwords expire after a specific number of days as shown in the table.
  • When the current date is close to the date of password expiration, messages will be sent weekly to the account holder's university business email address indicating that the password is about to expire and giving instructions for resetting the password.
  • Password uniqueness/history counts the number of passwords stored by the system to ensure that a password is not reset to one that was previously used.
  • Failed attempts before lockout counts the number of attempts to enter a correct Credential before the account is frozen and may not be accessed.
  • Once an account is frozen, a specific amount of time must pass before the account is automatically unlocked, the failed attempts count is set to zero and the correct Credential is accepted for authentication.