DocumentationRelease Notes
Log In
Documentation

Vault

Suggest Edits

What is Vault?

Vault is a secure storage solution that allows organizations to safely store and manage sensitive information, such as credentials and passwords, to ensure they are accessible only to authorized users.

How is Vault useful to my organization?

Vault helps improve security and compliance by providing a centralized location for managing sensitive data, ensuring that credentials are protected, and reducing the risk of unauthorized access during remote support sessions.

ℹ️

Note

Vault can import, rotate, and manage up to 60,000 accounts.

How do I access the Vault page?

  1. Use a Chromium-based browser to sign in to your Privileged Remote Access URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click Vault.
    The Accounts page opens and displays by default.

View Vault account details

Available information for shared accounts includes:

  • Type: The type of account, specifically, whether it is a domain or a local account, or a generic password account.
  • Name: The name of the account.
  • Username: The username associated with the account.
  • Group: The name of the account group to which the account belongs.
  • Endpoint: The endpoint with which the account is associated.
  • Account Policy: The account policy the Vault account is using.
  • Description: Short description about the account.
  • Last Checkout: The last time the account was checked out.
  • Password Age: The age of the password.
  • Status: This column displays when at least one of the accounts has a warning, error, or checked-out status to indicate. Accounts managed by Entra ID are identified in the Status column, as well as an alert if there is no service principal for the account. Accounts used to run a Windows service are indicated as Service Account in the Status column. Multiple statuses for an account are stacked and displayed in different colors. You can mouse-over a specific status to view more details about it.

ℹ️

Note

The Status column is auto-hidden when none of the accounts have a status currently set.

ℹ️

Note

You can filter the list of shared accounts displayed using the filters for Group and Password Age. Click the Select visible columns button above the grid to customize the columns displayed in the grid.

Based on this information, you can perform various actions, including credential check out, check in, and credential rotation.

Available information for personal accounts includes:

  • Type: The type of account, specifically, whether it is a domain or a local account, or a generic password account.
  • Name: The name of the account.
  • Owner: The name of the person who created and owns the account.
  • Description: Short description about the account.
  • Password Age: The age of the password.

ℹ️

Note

You can filter the list of personal accounts displayed by Owner and Password Age.

Add account

Click Add to manually add a shared or personal generic account to BeyondTrust Vault.

Rotate

Select one or more discovered (non-generic) accounts, click Rotate, and then click Start Rotation.

ℹ️

Note

  • Service accounts running in a failover cluster environment cannot be rotated. The error "Failover Cluster detected. Unable to change the run-as password for the service <service_name>" appears when a rotation attempt is made and Rotation Failed is indicated in the Status column for the service.
  • Services using a Microsoft Graph account as the Run As account cannot be rotated.
  • Services that have dependent services cannot be rotated, due to the risk of services within the service chain not restarting successfully.

ℹ️

Note

For more information, please see Rotate credentials.

Search shared accounts

Search for a specific shared account or a group of accounts based on Name, Endpoint Name, and Description.

Check out and check in a shared account

Click Check Out to view and use a shared credential. When selected, the Account Password prompt appears, displaying the credential for 60 seconds to allow you to copy the password. Once the prompt is closed, the Check In option becomes available. When finished using the account, click Check In to check the password back into the system.

Ellipsis menu for shared accounts

Click the ellipsis (...) to view more actions, such as Rotate Password, Edit, and Delete. When Rotate Password is selected, the system automatically rotates or changes the password. When Edit is selected, you can modify the account's information. The Delete option removes the account from the Accounts list.

ℹ️

Note

  • Service accounts running in a failover cluster environment cannot be rotated. The error "Failover Cluster detected. Unable to change the run-as password for the service <service_name>" appears when a rotation attempt is made and Rotation Failed is indicated in the Status column for the service.
  • Services using a Microsoft Graph account as the Run As account cannot be rotated.
  • Services that have dependent services cannot be rotated, due to the risk of services within the service chain not restarting successfully.

Search personal accounts

Search for a specific personal account or a group of accounts based on Name and Description.

View password for personal account

Click View Password to view and use a personal credential. When selected, the Account Password prompt appears, displaying the credential for 60 seconds to allow you to copy the password.

Edit personal account

Click Edit Account to modify the account's information, specifically Name, Description, Username, and Password.

Updated about 1 month ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.