Kunskapscenter

Advanced User Settings

To modify advanced user settings, you can go to Control Panel > User > Advanced. The options below are available.

Password Settings

You can set up the settings related to password security and strength rules for users on your Synology NAS.

To allow users to reset forgotten passwords via email:

  1. Tick the Allow non-admin users to reset forgotten passwords via email checkbox.
  2. Click Apply to save settings.
  3. The link marked "Forgot your password?" will display on the DSM login page. Once the password is forgotten, the user can click this link and enter the username. In this case, the system will send this user an email containing a link to reset the forgotten password.

Note:

  • Before enabling this option, make sure you have already enabled SMTP email notifications. To do so, go to Control Panel > Notification.
  • To receive messages from the system, users must provide an email address in the user information section of their accounts.
  • Users who belong to the administrators group cannot reset passwords with this option.
  • Domain users cannot reset passwords with this option.
  • LDAP users can reset passwords with this option, as long as the Synology NAS serves as the LDAP directory server and satisfies the following conditions:
    • LDAP user cannot be a member of administrators, Directory Operators, Directory Consumers, or Directory Clients.
    • If the Synology LDAP Server is a Consumer, its Provider must satisfy the conditions mentioned above.
    • The final Provider must be accessible with the user's web browser, and its email notifications must be enabled.
    • To avoid the reset forgotten password link from being used by someone else, the link must be clicked from the identical IP address where the forgotten password request has been made.

To force users to change password upon password reset:

  1. Tick the Force users to change passwords after the administrator resets the password checkbox.
  2. Click Apply to save settings.
  3. When the administrator changes the password for a user, the user will be required to change his or her password upon next login.

To enable password strength rules:

  1. Tick the Apply password strength rules checkbox.
  2. Tick or untick the following options according to your needs:
    • Exclude name and description of user from password: The password must not contain the user name or the user description. But UTF-8 encoded characters are excluded.
    • Include mixed case: The password must contain both upper and lower case letters.
    • Include numeric character: The password must contain at least one numeric character (0~9).
    • Include special character: The password must contain at least one ASCII special character (i.e., ~ ` ! @ # $ % ^ & * ( ) - _ = + [ { ] } \ | ; : ' " < > / ? , . and space character).
    • Exclude common password: Refrain users from setting common passwords, such as 123456, password, qwerty, et cetera.
    • Minimal password length: The password must be at least the value specified in the text field. The length should be a number between 6 and 127.
    • Password history: The password must be different from the previously set ones, the number of which is to be specified here.
  3. Click Apply to save settings.

Note:

  • New password strength rules are only applied when creating a new user account or when an existing user changes their password. Existing passwords and those belonging to imported user accounts are exempt from new password rules.
  • When password strength rules are modified, you can choose whether to force all users to change passwords at the next logon. This is applied to all users, including administrators and yourself, but not to the "guest" account.
  • The options Exclude name and description of user from password, Include mixed case, Include numeric characters, and Minimal password length (set to 8 by default) are ticked by default.
  • If Apply password strength rules is ticked, users are required to set a non-blank password even if Minimal password length is not ticked.
  • To enhance the strength of passwords, we recommend setting Minimal password length to 8 and enabling at least three of the first five options.

Password Expiration

You can enhance the security of user accounts with the password expiration function to force users to change password after the specified period of time.

To set up the password expiration schedule:

  1. Tick the Enable password expiration checkbox.
  2. The following options are configurable:
    • Maximum password valid duration: Specify the number of days after which the passwords expire.
    • Minimum password valid duration: Tick the checkbox to enable this function, and specify the number of days before which the users are disallowed to change their passwords.
    • Prompt users to change password upon login before expiration: Tick the checkbox to enable this function, and specify the number of days before password expiration the users will be reminded to change their passwords upon login.
    • Allow users to change password after expiration: Tick the checkbox to allow users to sign in with their current passwords having expired and change their passwords.
    • Send expiration notification emails: Tick the checkbox to notify users of password expiration via email.
  3. Click Apply to save settings.

2-Step Verification

2-step verification provides improved security for DSM user accounts. You can force DSM administrators or all DSM users to enable their 2-step verification in order to further protect their accounts.

To enforce 2-step verification for DSM users:

  1. Tick the Enforce 2-step verification for the following users box, and select which users you want to apply this to.
  2. Click Apply to save settings.
  3. With this enforcement applied, users that have not enabled their 2-step verification will be asked to finish the settings before they can log in to DSM.

Note:

  • If you have not yet configured 2-step verification at Personal > Account, the 2-step verification setup wizard will be launched to help you complete the required settings before you can apply this enforcement.
  • Disabling 2-step verification enforcement here will not affect or disable the 2-step verification settings of each user. Users can keep their 2-step verification settings, or go to Personal > Account to disable these settings.
  • 2-step verification also applies to all SSH-related services, such as SSH terminal, SFTP, and rsync with SSH transfer encryption. However, since Hyper Backup and Shared Folder Sync via rsync with SSH transfer encryption do not support 2-step verification, these two services will not be able to work normally after 2-step verification is enabled.

User Home

Enable user homes to create a personal home folder for each user, except for guest. All users can access their own home folder via CIFS, AFP, FTP, or File Station.

Users belonging to the administrators group can access all personal folders located in the homes default shared folder. The name of home folder is the same as the user account.

To enable the user home service:

  1. Check Enable user home service.
  2. If there are multiple volumes, select where you want the homes folder to be stored.
  3. Click Apply.

Note:

  • Once the local user home service is disabled, the domain user home service will also be disabled concurrently.

To disable the user home service:

  1. Uncheck Enable user home service.
  2. Click Apply to save settings.

After the user home service is disabled, the homes shared folder will be preserved for administrator access. Users will be able to access their home folders again when the user home service is enabled again.

Note:

  • To delete the homes shared folder, user home service must be disabled first.
  • The domain user home service would be disabled if the local user home service is disabled.
Password Settings
Password Expiration
2-Step Verification
User Home