DocumentationRelease Notes
Documentation

Disabled at Rest managed accounts | PS Cloud

Suggest Edits

What is Just-in-Time?

Just-in-Time (JIT) is a critical aspect of controlling access to assets and identities within an organization. When flagged by a Password Safe administrator, Active Directory and Entra ID accounts can leverage JIT capabilities by disabling these accounts when checked in to Password Safe.

How is it useful?

When a requestor checks out a disabled account, a workflow is initiated that re-enables the account for use. Once checked back in, the account is disabled again. When enabling or disabling an account, Password Safe uses the Preferred Domain Controller (DC), if set, for the managed account.

ℹ️

The Disabled at Rest feature is only available for Active Directory (AD) and Entra ID accounts.

Enable the Disabled at Rest setting

The Disabled at Rest setting can be activated by using a toggle switch, located in Managed Accounts > Account Settings, or by creating a Smart Rule.

Enable Disabled at Rest with toggle switch

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click .
    The Managed Accounts page displays.
  3. Locate the managed account in the grid.
  4. Click > Edit Account.
  5. Under Account Settings, click the Disabled at Rest toggle to enable the setting.
  6. Click Update Account.

Create a Smart Rule for Disabled at Rest accounts

In addition to setting the Disabled at Rest option in an individual managed account, you can also set the Disabled at Rest flag by creating a smart rule. The flag automatically turns on the Disabled at Rest setting for all matching accounts included in the smart rule, as follows:

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.

  2. From the left menu, click .
    The Smart Rules page displays.

  3. From the Smart Rule Type filter dropdown, select Managed Account.

  4. Click + Create Smart Rule.

  5. Select Managed Account Settings for Disabled at Rest Accounts under Actions.

  6. Under Platform, select either Active Directory or Microsoft Entra ID.

  7. Complete the remaining settings.

  8. Click Create Smart Rule.

🚧

Important information

If the Disabled At Rest setting is set at the account level, it is overwritten by the Manage Account Settings action in a Smart Rule, which sets Disabled at Rest for all affected accounts to No. You must use the Manage Account Settings for Disabled At Rest Accounts action instead, which sets Disabled at Rest for all affected accounts to Yes.

ℹ️

  • Concurrent accounts, those that are used by multiple users, are disabled only after the account is no longer in use by anyone.
  • The Disabled at Rest feature is not supported with Password Cache. This service checks out the account it is configured for and keeps a cache locally. The cache is an active request, meaning the cached account is enabled, and it will stay enabled.

Verify Disabled at Rest setting

Verify that the Disabled at Rest setting is enabled, as follows:

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.

  2. From the left menu, click .
    The Smart Rules page displays.

  3. From the Smart Rule Type filter dropdown, select Managed Account.

  4. Locate the managed account created above.

  5. Click > Go to Advanced Details.

  6. Under Details & Attributes > Account Settings, verify that Disabled at Rest to Yes.

Changes can also be viewed under User Audits, as follows:


  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click .
    The Configuration page displays.
  3. Under General, select User Audits.
    The User Audits page displays.
  4. Click to the right of the updated item. The Edit Details pane displays the action that was taken and the changes made.

Sample Disabled At Rest workflow description

Disabled accounts are temporarily enabled when a new Password Safe request is made. Using the View Password request as an example, view the workflow, as follows:

  • From the left menu, click .
    The Password Safe home page displays.
  • Click the Accounts tab.
  • Select Directory Linked Accounts.
  • Locate the account in the grid.
  • Click Access to the right of the request.
  • In the Access panel, under Quick Launch, set the time length of the session.
  • Click Retrieve Password.
    • The account is now enabled.
    • It remains enabled for the duration of the session. If the user checks-in the request or the request expiry time is reached (whichever comes first), the account is queued to be disabled.

ℹ️

When enabling the Disable at Rest feature on a managed account, the account is set to disabled in AD or Entra ID. If the account does not become disabled, a check out/check in may be required.

Affected settings

When your account is set to Disabled at Rest, the following settings are not available:

  • Account Settings > Use Own Credentials.
  • Account Settings > Directory Query Enabled
  • Scanner Settings > Scanner Enabled
  • Managed Account > Advanced Details > Propagation Actions
  • Test Password is not available in the ellipsis menu.

ℹ️

For more information about site replication considerations when leveraging the Disable at Rest feature, refer to your Active Directory administrators.

Updated 7 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.