Skip to main content
Question

Password Safe password history retention for more than one year

  • December 19, 2025
  • 2 replies
  • 6 views
P

Hi,

Anyone else have a need to keep password history for more than one year? A problem we face is if we need to restore a windows server from more than a year ago, we won’t be able to log in via the local administrator password as it will be unknown. I know there are some workarounds where you can reset if it is an AzureVM, but having history more than a year is needed.

Anyone have any smart ways to work around this limitation?

Someone has already logged an idea for this if you want to vote.

Allow Password History For More Than 360 | All Product Ideas - Public

Thanks

      2 replies

      Pulitros144
      Forum|alt.badge.img+4
      • Pulitros144
      • Veteran
      • December 19, 2025

      Hi,

      Anyone else have a need to keep password history for more than one year? A problem we face is if we need to restore a windows server from more than a year ago, we won’t be able to log in via the local administrator password as it will be unknown. I know there are some workarounds where you can reset if it is an AzureVM, but having history more than a year is needed.

      Anyone have any smart ways to work around this limitation?

      Someone has already logged an idea for this if you want to vote.

      Allow Password History For More Than 360 | All Product Ideas - Public

      Thanks

      You have the option to create a Secrets Folder within Secrets Safe and set up a Propagation Action. This way, every time the password is changed, a new credential is created—using a naming convention like 'Account+Month+Year'—and the latest password is saved there. If you change it monthly, you could also use 'Account+Day+Month+Year' for weekly rotations.

      You could apply this either to specific critical servers or across all servers. You can then clean up old entries manually or use the API to automatically delete 'old' entries as soon as a new one is created.

      This approach works well; I have implemented it for one of our customers. It has been running for two years now, and so far, they have achieved a 92% success rate for restores.

      PS
      Pulitros144
      Forum|alt.badge.img+4
      • Pulitros144
      • Veteran
      • December 19, 2025

      @PatC Here a example of the script and the instructions to use:
       

      Script Arguments: In your Propagation Action configuration, ensure you pass the arguments in the order the script expects: "%u" "%p" "Month" (or "Weekly").
       

      %u = Managed Account UserName

      %p = Managed Account Password
       

      Folder ID: You must first find the GUID of your target folder. You can find this by calling GET Secrets-Safe/Folders/.

      Permissions: The "RunAs" user specified in the script must have Read/Write access to Secrets Safe  and the specific folder you are targeting.

      API Key: Ensure the API key used is associated with a user who has the "Secrets Safe" feature/permission enabled.

      1 Attachments
      PS

      Badge Earners

      • 1 Courses Completed - Entitle
        AdrianRhas earned the badge 1 Courses Completed - Entitle
      • BCIE: Privileged Remote Access
        Vercruysse Stevenhas earned the badge BCIE: Privileged Remote Access
      • BCA: Password Safe
        ariffsrhas earned the badge BCA: Password Safe
      • BCA: Password Safe
        Shawnpuahas earned the badge BCA: Password Safe
      • BCSE: Password Safe
        Shawnpuahas earned the badge BCSE: Password Safe
      Show all badges
      Terms & ConditionsCookie settingsAccessibility statement