1. Home
  2. Docs
  3. LDS Edition Administrator’s Guide
  4. Recovery

Recovery

DigitalPersona LDS provides full recovery options to administrators for enabling users to regain access to their Windows user accounts and computers.

User recovery

Installation of DigitalPersona LDS adds the Recover User command to Active Directory’s context menu for a user in the Active Directory Users and Computers console. This command enables recovery of the user’s access to their Windows account by a one time access code available through a link on the Windows logon screen.

To recover a user

DigitalPersona AD provides a means to easily recover access to a computer where a user is unable to access their account, and needs one-time access to the pre-boot environment and their Windows account.

StepUser or DigitalPersona softwareAdministrator
1The user contacts a help desk person or DigitalPersona Administrator and provides their Windows user account name.
2The administrator locates the user in Active Directory, right-clicks the user and selects Recover User, which launches the Recover access wizard.
3The administrator transmits the displayed Recovery account name and password to the user. This will enable them to authenticate at the pre-boot level. Upon use, this password is automatically changed.
4The user enters the provided information, gaining access to the computer at the pre-boot level.
5At the Windows logon screen, the user clicks their user tile. On their user tile screen, they click the One time access link.
6The user transmits the displayed Security Key to the administrator.
7The administrator clicks Next, enters the Security Code and clicks Next again.
8DigitalPersona displays a One time access code which is transmitted to the user. It does not expire, but can only be used once.
9The user types the One time access code and clicks OK, gaining access to their Windows account.

Computer recovery

Installation of DigitalPersona LDS also adds the Recover Computer command to Active Directory’s computer object context menu. This command can be used to easily recover access to a computer where an AD User has been locked out during pre-boot authentication.

To recover a computer from a pre-boot lockout

StepUser or DigitalPersona softwareAdministrator
1The AD User contacts your help desk for assistance in recovering from a pre-boot lockout.
2The administrator locates their computer in Active Directory, right-clicks on the computer and selects the Recover Computer command.
3The administrator transmits the displayed Recovery Account name and password to the user.
4The user can enter the Recovery Account name and password to authenticate at the pre-boot level.
5
Upon use, this password is automatically changed.

Account lockout recovery

When a user exceeds the permissible number of authentication attempts (as defined in the Windows security policy) with a fingerprint credential, they are automatically locked out of their account. A locked out account cannot be used until it is reset by an administrator or until the account lockout duration has expired.

When an account is unlocked by an administrator, the account becomes immediately available for fingerprint authentication from all computers, or after the next replication interval if there are multiple domain controllers.

To unlock a Windows user account

  1. Ensure that you have the required permissions to modify the user
  2. In Active Directory for Users and Computers, right-click on the user name and select
  3. Click the DigitalPersona
  4. Clear the Account is locked out for fingerprint authentication This checkbox is for unlocking accounts and cannot be used by an administrator to lock an account. If the account is unlocked, the checkbox is disabled.
  5. Click OK to close the dialog box and save the

The administrator can choose to set less strict lockout settings by reducing the lockout duration time or reducing the counter reset time through Windows security settings.