Secondary NetID Account Usage
Secondary NetID Accounts are used by university IT personnel to separate their administrator privileges from their personal NetID account usage. A Secondary NetID Account is linked to one NetID account holder and only that individual is authorized to use the Secondary NetID Account to access systems.
Usage of the account is up to the department/service owner. Superuser privileges is an example of privileges that should be restricted to Secondary NetID Accounts.
By default, a Secondary NetID Account must have two-factor authentication set up.
Requesting a Secondary NetID Account
Texas A&M University IT personnel can request a Secondary NetID Account by completing and submitting the request form:
Secondary NetID Account Lifecycle
Creation
A Secondary NetID Account is created once the account request has been reviewed and approved. The requestor will be notified once the account has been set up and is ready for use.
Management/Usage
NetID account holders manage their Secondary NetID accounts via the Proxy Account Management application. This application allows the account holder to edit account settings or change the password for the account.
Renewal
Since Secondary NetID Accounts are tied to an individual, they do not require annual confirmation.
Deletion
Secondary NetID Accounts are deleted when the individual's personal NetID account is deleted.
Secondary NetID Account Password Management
Management of a Secondary NetID Account password encompasses a number of practices. The table and comments below describe the default password management practices for these accounts. A Secondary NetID Account must be set up with two-factor authentication.
| Minimum length of password | 16 |
|---|---|
| Maximum length of password | 128 |
| Password is character checked | Yes |
| Maximum age of password (in days) | 1461 |
| Days of daily expiration warnings | Once per week for 3 weeks. |
| Password minimum age for reset (in days) | 0 |
| Password uniqueness/history | 6 |
| Failed attempts before lockout (CAS) | 7 |
| Lockout duration in minutes (CAS) | 15 |
| Failed attempts before lockout (Duo Two-Factor) | 7 |
| Lockout duration in minutes (Duo Two-Factor) | 15 |
- Each attempt to change a password is checked to ensure that the new password conforms to the character requirements.
- A password must contain at least one (1) lowercase letter.
- A password must contain at least one (1) uppercase letter.
- A password must contain at least one (1) non-alphabetic symbol.
- A password must contain only the following characters: a-z, A-Z, 0-9, `~!@#$%^&*()-_=+[{]}|:;'<.>?/
- A password may not contain words found in a dictionary.
- A password may not contain the account login identifier.
- Passwords expire after a specific number of days as shown in the table.
- When the current date is close to the date of password expiration, messages will be sent weekly to the account holder's university business email address indicating that the password is about to expire and giving instructions for resetting the password.
- Password uniqueness/history counts the number of passwords stored by the system to ensure that a password is not reset to one that was previously used.
- Failed attempts before lockout counts the number of attempts to enter a correct Credential before the account is frozen and may not be accessed.
- Once an account is frozen, a specific amount of time must pass before the account is automatically unlocked, the failed attempts count is set to zero and the correct Credential is accepted for authentication.