DocumentationRelease Notes
Log In
Documentation

Disabled at Rest managed accounts

Suggest Edits

Just-in-Time (JIT) is a critical aspect of controlling access to assets and identities within an organization. When flagged by a Password Safe administrator, Active Directory and Entra ID accounts can leverage JIT capabilities by disabling these accounts when checked in to Password Safe. When a requestor checks out an account, a workflow is initiated that re-enables the account for use. Once checked back in, the account is disabled again.

When enabling or disabling an account, Password Safe uses the Preferred Domain Controller (DC), if set, for the managed account.

ℹ️

Note

The Disabled at Rest feature is only available for Active Directory (AD) and Entra ID accounts.

Enable the Disabled at Rest setting

The Disabled at Rest setting can be activated by using a toggle switch, located in Managed Accounts > Account Settings, or by creating a Smart Rule.

Enable Disabled at Rest with toggle switch

  1. From the left hand menu in the BeyondInsight console, click Managed Accounts.
  2. Select a managed account and then click the vertical ellipsis to the right of the account.
  3. From the menu, select Edit Account.
  4. Under Account Settings, click the Disabled at Rest toggle switch to enable the setting.
  5. Click Update Account.

Create a Smart Rule for Disabled at Rest accounts

In addition to setting the Disabled at Rest option in an individual managed account, you can also set the Disabled at Rest flag by creating a smart rule. The flag automatically turns on the Disabled at Rest setting for all matching accounts included in the smart rule, as follows:

  1. From the left menu in the BeyondInsight console, click Smart Rules.
  2. Select Managed Account from theSmart Rule Type Filter dropdown.
  3. Click Create Smart Rule.
  4. Select Managed Account Settings for Disabled at Rest Accounts from the first dropdown under Actions.
  5. Under Platform, select either Active Directory or Microsoft Entra ID.
  6. Complete the smart rule, and then select Create Smart Rule.

⚠️

Important

If the Disabled At Rest setting is set at the account level, it is overwritten by the Manage Account Settings action in a Smart Rule, which sets Disabled at Rest for all affected accounts to No. You must use the Manage Account Settings for Disabled At Rest Accounts action instead, which sets Disabled at Rest for all affected accounts to Yes.

ℹ️

Note

  • Concurrent accounts, those that are used by multiple users, are disabled only after the account is no longer in use by anyone.
  • The Disabled at Rest feature is not supported with Password Cache. This service checks out the account it is configured for and keeps a cache locally. The cache is an active request, meaning the cached account is enabled, and it will stay enabled.

Verify Disabled at Rest setting

Verify that the Disabled at Rest setting is enabled, as follows:

  1. Click the vertical ellipsis to the right of the account that was updated.
  2. From the menu, select Go to Advanced Details.
  3. Under Details & Attributes > Account Settings, Disabled at Rest should be set to Yes.

Changes can also be viewed under User Audits, as follows:

  1. Go to Configuration > General > User Audits.
  2. Click the information icon to the right of the updated item. The Edit Details pane displays the action that was taken and the changes made.

Sample Disabled At Rest workflow description

Disabled accounts are temporarily enabled when a new Password Safe request is made. Using the View Password request as an example, view the workflow, as follows:

  • Click the left menu in the BeyondInsight console and click Password Safe.
  • Go to Accounts > Directory Linked Accounts.
  • Click Access (key icon) to the right of the request.
  • In the Access pane, under Quick Launch, set the time length of the session.
  • Click Retrieve Password.
    • The account is now enabled.
    • It remains enabled for the duration of the session. If the user checks-in the request or the request expiry time is reached (whichever comes first), the account is queued to be disabled.

ℹ️

Note

When enabling the Disable at Rest feature on a managed account, the account is set to disabled in AD or Entra ID. If the account does not become disabled, a check out/check in may be required.

Affected settings

When your account is set to Disabled at Rest, the following settings are not available:

  • Account Settings > Use Own Credentials.
  • Account Settings > Directory Query Enabled
  • Scanner Settings > Scanner Enabled
  • Managed Account > Advanced Details > Propagation Actions
  • Test Password is not available in the ellipsis menu.

ℹ️

Note

For more information about site replication considerations when leveraging the Disable at Rest feature, please refer to your Active Directory administrators.

Updated 6 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.