Locked Account

Locked Employee Account Troubleshooting

This article will cover how you can troubleshoot in the event that an employee's account becomes locked out. We will first review how you can determine the current reason an employee is locked out as well as how you can look at historical lock out reasons.

Please be aware that this guide is not all encompassing and that the locked reason code(s) may be changed or expanded in the future. If you have any questions regarding a specific reason code and its purpose or it is not covered here, please reach out to your designated specialist(s) for assistance.

Determining Lock Out Reasons

Locating Current Locked Reasons

First, we'll review how you can review the reason as to why an employee is currently locked out. If you determine an employee is locked out of the system and you want to get immediate information on why this occurred, please follow the steps below.

1. Navigate from your menu to the Team Tab > My Team > Employee Information.



2. From this report, select to Add/Remove Columns... and ensure that the following columns are available:
  1. Employee: Locked
  2. Employee: Locked Reason




3. Once the identifier and reason have been brought into the report, you can then filter using the drop-down under the Locked column and selecting Yes.
  1. This will show you all locked accounts as of today with the reason showing to the right under the LockedReason column

Locating Historical Locked Reasons

When an account locks, a reason code can also be found in the Account Info Audit Trail. This report will show all current/historical reason codes for future reference. The reason code(s) shown in this report will help identify why the account was locked so that you can correct as needed. To find the the historical reason code, see the steps below: 

1. To find the lock reason code, navigate from your menu to the Team Tab > My Team > Employee Information


2. From this report, select the Quick Link icon next to the employee you wish to look into and select the Account Audit Trail option.





3. Within the Account Info report, adjust your date range to be around the time the account was locked out using the Modification Dates button.




4. Once you've applied your date range, enter a filter under the Field Desc column of Locked Reason, a filter under Object of Account, and select to Run Report.


5. In the New Value column, you will see a code presented. This is the reason the account was locked or unlocked depending on what action has already been taken.


The locked account reason codes can be found below: 


Commonly Seen Locked Reason Codes

  1. 1 - VCA Cleared: This indicates that the account was manually locked
  2. 2 - Invalid Attempts: This indicates the employee entered their login credentials incorrectly too many times
    1. By default, the account will typically unlock after 30 minutes
  3. 3 - New Account Time Limit Exceeded: This indicates that the employee has not logged into their account within the grace period
    1. This grace period is typically set to 30 days from the account being created
  4. 8 - Import: This indicates the account was flagged due to being locked within an import file
    1. Green Leaf will typically unlock these accounts during the implementation process
  5. 9 - VCA Approval Time Limit Exceeded: This indicates that the employee's Virtual Code/Two-Factor Authentication (VCA) settings weren't approved within the grace period
    1. This grace period is typically set to 72 hours
  6. 10 - VCA Invalid Attempts Exceeded: This indicates the employee entered the wrong VCA code too many times when logging into the system

What is Two-Factor Authentication?

Two Factor Authentication (2FA) is a required functionality for all account users that have access to sensitive data, including company admins, managers, and employees. This will send a number code for a user to enter as a dual-factor to be able to log into their Elevated account. 

By default, when the account is created, the email and phone that was entered upon hire will be referenced when users first log in and could be used to receive the authentication code. During the first login, the user may change the email or phone to send the code, and if they do, the VCA Admin list will receive a to do to approve the changes. If the changes aren't approved within 72 hours, the account will automatically lock for enhanced security. If the VCA is not approved within 72 hours, then your company's admin(s) will be required to unlock the employee's account clear their VCA settings.  

When in Doubt: Unlock / Reset / Clear

No matter the reason for a locked account, the following steps will ensure that accounts do not keep locking. 

Unlock Account

  1. Navigate from your menu to the Team Tab > HR > Employee Maintenance > Password Unlock
    1. Choose the employee(s) by clicking on the browse icon and check the boxes of the employees that need to be unlocked
    2. Once chosen, select the Unlock button located in the upper right-hand corner of the screen
    3. This will then automatically unlock the employee's account so that they can attempt to log in again

Reset Password

  1. Navigate from your menu to the Team Tab > HR > Employee Maintenance > Password Reset
    1. Choose the employee(s) by clicking on the browse icon and check the boxes of the employees that need to be unlocked
    2. Once chosen, select the Reset Password button located in the upper right-hand corner of the screen
    3. This should then send an email automatically to the employee letting them know their temporary password so that they can get logged in

Clear Two-Factor Registration

  1. Navigate from your menu to the Team Tab > HR > Employee Maintenance > Password Reset
    1. Choose the employee(s) by clicking on the browse icon and check the boxes of the employees that need to be unlocked
    2. Once chosen, select the Reset Password button located in the upper right-hand corner of the screen
    3. This will then clear the phone number/email identified with their Two-Factor Settings so that they can re-enter them as needed

    • Related Articles

    • Credentials - User Name, Password, Login.

      By default, when you add a new hire, as soon as you activate the "account"/employee profile, the new account (even if this is adding an accountant) will receive an email with a login landing site, company short name, user name and the password ...

    • MFA & Password Policy Updates (August 2023)

      Green Leaf is implementing a new set of security measures this year within the Elevated Platform to keep your organization's data safe and secure 24/7. Our system has always utilized Two-Factor Authentication to log in (i.e., receiving a code to your ...

    • Mobile App Instructions & Troubleshooting

      Upon adding a new hire or account in Green Leaf Elevated, the end user will receive an email indicating that they must log in on the web to activate and reset their password. They are also given instructions on how to download the mobile app. By ...

    • Missing Payroll E/D Code For 1 Record

      When pulling hours into payroll, if you receive the error  "Missing Payroll E/D Code For 1 Record" it may mean that there was a new earning/deduction code that was not tied to the payroll sync (the profile that brings hours into payroll). In the ...

    • How to Hire a New Employee

      This article will cover the steps required to add a new hire to the system. Green Leaf’s new hire process typically consists of an administrator or manager initiating the new hire, the New Hire receiving an email to log in and complete their new hire ...