DocumentationRelease Notes
Documentation

Disabled at Rest managed accounts | PS Pathfinder

Suggest Edits

What is Just-in-Time?

Just-in-Time (JIT) is a critical aspect of controlling access to assets and identities within an organization. When flagged by a Password Safe administrator, Active Directory and Entra ID accounts can leverage JIT capabilities by disabling these accounts when checked in to Password Safe.

How is it useful?

When a requestor checks out a disabled account, a workflow is initiated that re-enables the account for use. Once checked back in, the account is disabled again. When enabling or disabling an account, Password Safe uses the Preferred Domain Controller (DC), if set, for the managed account.

ℹ️

The Disabled at Rest feature is only available for Active Directory (AD) and Entra ID accounts.

Enable the Disabled at Rest setting

The Disabled at Rest setting can be activated by using a toggle switch, located in Managed Accounts > Account Settings, or by creating a Smart Rule.

Enable Disabled at Rest with toggle switch

  1. At the top left of the page, click > Password Safe > Managed Accounts.
    The Managed Accounts page displays. You can also select the Managed Accountscontainer card on the Password Safe Home page.
  2. Locate the managed account in the grid.
  3. Click > Edit Account.
  4. Under Account Settings, click Disabled at Rest to enable the setting.
  5. Click Update Account.

Create a Smart Rule for Disabled at Rest accounts

In addition to setting the Disabled at Rest option in an individual managed account, you can also set the Disabled at Rest flag by creating a smart rule. The flag automatically turns on the Disabled at Rest setting for all matching accounts included in the smart rule, as follows:

  1. At the top left of the page, click > Password Safe > Smart Rules.
    The Smart Rules page displays.
  2. Select Managed Account from theSmart Rule Type Filter dropdown.
  3. Click Create Smart Rule.
  4. Select Managed Account Settings for Disabled at Rest Accounts from the first dropdown under Actions.
  5. Under Platform, select either Active Directory or Microsoft Entra ID.
  6. Complete the smart rule, and then select Create Smart Rule.

🚧

Important

If the Disabled At Rest setting is set at the account level, it is overwritten by the Manage Account Settings action in a Smart Rule, which sets Disabled at Rest for all affected accounts to No. You must use the Manage Account Settings for Disabled At Rest Accounts action instead, which sets Disabled at Rest for all affected accounts to Yes.

ℹ️

  • Concurrent accounts, those that are used by multiple users, are disabled only after the account is no longer in use by anyone.
  • The Disabled at Rest feature is not supported with Password Cache. This service checks out the account it is configured for and keeps a cache locally. The cache is an active request, meaning the cached account is enabled, and it will stay enabled.

Verify Disabled at Rest setting

Verify that the Disabled at Rest setting is enabled:

  1. At the top left of the page, click > Password Safe > Smart Rules.
    The Smart Rules page displays.
  2. Locate the managed account created above.
  3. Click > Go to Advanced Details.
  4. Under Details & Attributes > Account Settings, Disabled at Rest should be set to Yes.

Changes can also be viewed under User Audits:

  1. At the top left of the page, click > Password Safe > Configuration.
    The Configuration page displays.
  2. Under General, select User Audits.
    The User Audits page displays.
  3. Click to the right of the updated item. The Details pane displays the action that was taken and the changes made.

Sample Disabled At Rest workflow description

Disabled accounts are temporarily enabled when a new Password Safe request is made. Using the View Password request as an example, view the workflow, as follows:

  1. At the top left of the page, click > Password Safe > Password Safe Accounts .
    The Accounts page displays.
  • Click Directory Linked Accounts.
  • Click Access to the right of the request.
  • In the Access pane, under Quick Launch, set the time length of the session.
  • Click Retrieve Password.
    • The account is now enabled.
    • It remains enabled for the duration of the session. If the user checks-in the request or the request expiry time is reached (whichever comes first), the account is queued to be disabled.

ℹ️

When enabling the Disable at Rest feature on a managed account, the account is set to disabled in AD or Entra ID. If the account does not become disabled, a check out/check in may be required.

Affected settings

When your account is set to Disabled at Rest, the following settings are not available:

  • Account Settings > Use Own Credentials.
  • Account Settings > Directory Query Enabled
  • Scanner Settings > Scanner Enabled
  • Managed Account > Advanced Details > Propagation Actions
  • Test Password is not available in the ellipsis menu.

ℹ️

For more information about site replication considerations when leveraging the Disable at Rest feature, please refer to your Active Directory administrators.

Updated 10 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.