Recently active topics

Hi team My client is having this problem: some sessions are recording, and others aren't. They have several connections to the same device, and while some recordings are available, others only have the transcript. I'd like to know what's happening in this case and what the problem might be. As an additional note, the product is in version 25.3.2. All sessions are from the same user and are of type RDP

From what I can tell, dedicated account mapping (e.g. KB0017035) the only option available is to map the exact same attribute in both domains. For example, employeedomain\user1 has attribute1 set to “user1”privilegeddomain\admin1 has attribute1 set to “user1”to drive the mapping via smart rules. However, that implies that modifying attribute1 in employeedomain to a different value, say, “user2” would grant user1 access to user2’s privileged resources, giving domain1 authority over a privileged domain’s access. What I want to be able to do is have privilegeddomain\admin1 attribute1 set to “user1”, and map that to employeedomain\user1’s name field (or samaccountname, or SID - something not modifiable without breaking the employeedomain\user1 account). Is that possible? 

I have a windows 2019 server enabled with RDS services and password safe for users that need to have privileged access to cloud apps that are onboarded as enterprise apps in Entra / Azure. How can i give users a single on sign experience when they do not have access to the account password? I am trying to avoid published apps and keep my admin overheads as low as possible.Has any here been able to make this happen? I had something running to support this when we had ADFS, but sadly we have moved on.

Hi Team, I need a report to pull the data of all the managed account last login details on associated servers this is required for Audit purpose has anyone tried to pull out successfully from the Analytics and reporting feature?Quick suggestions and recommendation from the community will be appreciated. 

Hi communityOur clients are currently starting to use SQL Tunnel and PostgreSQL Tunnel connections. When checking the recordings, they are not available; only the transcript is shown. I would like to know if PRA does not support these types of recordings.

hello friends,we are doing a fresh install for our UVM’s we have downloaded the OVA and having them mounted. is there an implementation guide on how to set up this UVM/BI. we had one for earlier versions which included the default username/password and steps to set up and configure the base UVM. we are doing an upgrade/migration Thanks.Frank Colvin

The following articles were published last week. New Knowledge Base Articles: KB0022540 - Is there any effect when changing SMTP authentication from Legacy to Oauth2 with the Integration Client? KB0022553 - What operating system can BeyondTrust SRA Integration Client be installed on? KB0022568 - All new users getting all Asset or Jump Items by default in RS and PRA KB0023619 - Will local users stay in User Accounts after expiry? KB0023658 - Vault checkout error "System name is not configured for directory linked account checkout" KB0023662 - Console tab missing in /login KB0023671 - Can multiple connected screens be viewed simultaneously in separate, detachable windows?

The following articles were published last week. New Knowledge Base Articles: KB0022540 - Is there any effect when changing SMTP authentication from Legacy to Oauth2 with the Integration Client? KB0022553 - What operating system can BeyondTrust SRA Integration Client be installed on? KB0022568 - All new users getting all Asset or Jump Items by default in RS and PRA KB0023619 - Will local users stay in User Accounts after expiry? KB0023656 - Network Tunnel: The privileged remote access network tunnel endpoint service is not installed KB0023658 - Vault checkout error "System name is not configured for directory linked account checkout" KB0023662 - Console tab missing in /login KB0023671 - Can multiple connected screens be viewed simultaneously in separate, detachable windows?

The following articles were published last week. New Knowledge Base Articles: KB0023609 - Child matched events using Any Application or have missing data KB0023663 - What is the URLCache used for? KB0023664 - Custom messages configured to show two lines with the BT PM App display all three KB0023668 - "Mail To" email sent from an EPM-W block message is missing file hash and publisher name

The following articles were published last week. New Knowledge Base Articles: KB0022494 - Error while rotating a password: Missing Custom Plugin KB0022513 - Workforce Passwords Usage Summary Report or Active Users report fails KB0022534 - Is BeyondTrust Workforce Passwords available on Firefox and macOS? KB0023328 - After upgrading to 25.3 OAuth does not work KB0023541 - EPM client check-in fails with "Database Offline" and "Unable to refresh policies" errors after upgrade KB0023624 - "HTTP/2 Protocol Error: Stream closed with an error" when using Password Safe API with Postman 12.x KB0023635 - BeyondInsight Password Safe features overview KB0023648 - Is there a way to tell who did a session request or viewed a password for managed account? KB0023660 - Where is the Endpoint Credential Manager (ECM) installer and what are the requirements? KB0023669 - Can a U-Serie

Hello everyone,We are running BeyondTrust Password Safe (On-Prem) and managing several network appliances configured as Managed Systems.Our environment includes:Network appliances onboarded as Managed Systems Local managed accounts on each appliance Application Sessions configured for access to the appliances’ web interfaces Two managed accounts (One as Managed account for network appliance and the other for RDS credential injection) with the same username that must share and stay synchronized with a single passwordGoal:When a password is rotated or manually changed for one managed account, the password should be automatically updated on the corresponding account on the other appliance.Questions specific to Password Safe On-Prem:What is the recommended approach to synchronize passwords between multiple managed accounts? Can this be achieved using: Account dependencies (primary / dependent accounts) Shared password objects Password change policies applied to multiple managed systems

Hello Team,We are looking for setting configuration for Maximum Password Age and Minimum Password Age to be set in Configuration > Role Based Access > Local Account Settings > Account Password.I don't see that option field for version BeyondTrust Password Safe 25.1 version. Can someone help to know how to see these fields in configuration part.Thanks,Prasad

I have a standalone Gateway (Jumpoint) and a Gateway cluster (jumpoint cluster).Wha can I configure my Jump Clients only to use a standalone gateway (jumpoint) and not the gateway cluster?

Hello, We have a requirement from Auditing point of view which states -“Beyond Trust Password safe should start session recording once user has checked in Password for managed account and this recording should end once his access is revoked from AD group for that managed account. The recording should cover entire session with showing what all applications were touched upon with retrieved password”Is it possible with Beyond Trust Password safe (On Premise) environment. Thanks,Prasad

This might be a bit too big of a question for this forum. However, I am not sure where to start. We are still somewhat new to PRA. I am wanting to start using Docker containers for our jumpoints instead of putting them on Linux instances. First, where do I go to download the container image? I heard that there is a stock image that we would use and then just input the key to start the connection to our system. Second, can we put the container in a service like AWS container service or Azure container service? Third, and this will show my very beginner level of experience with containers, would we do the firewall rules for the containers the same way that we do them for the Linux servers that are jumpoints?I have a feeling there are other items that I am totally missing, but I figured this is a good start. If you know of documentation you can point me to I am more than happy to start reading and testing things out. 

Hi Everyone,I received some information from a friend regarding the use of BeyondTrust Password Safe licenses specifically, the asset-based version.Let’s say we purchase 1,000 licenses. If all the licenses have been used, we will still be able to add and access the new system.1.However, we don’t know what the maximum tolerance is. Is that correct?2.What other information should I know regarding license usage and what happens once all licenses have been used? Thank you,Please help and give me some advice

Hi everybody, hope y’all having a great friday so far.Even though we know Windows 2003 are out of support, we still have a couple running precious services, and we’re on track to upgrading them.  There are accounts on our Password Safe that go through PRA ECM integration for injecting credentials. That works for 99% of the newer Windows machines except these. We realized that whenever we jump to these, the main issue is the “format” of the credentials are wrong (even it says in the login menu of the machine).Is there a workaround or any ideas that might worth a try? Thanks!     

i need assistance adding a SAAS application which we’re using with some admin accounts to BT password safe 

Trying to get a handle on Microsoft Store installs. Microsoft Store apps can be blocked via GPO however there are many gaps around this. For example, using the web browser to go to Microsoft store. https://www.reddit.com/r/Intune/comments/1e44bkb/ms_store_block_bypassed_via_browser/Is there a way to block Msix files from installing in Beyond Trust? maybe prevent them from running from downloads folder? 

Hello All,Anyone gotten the Codex app working with admin sandbox? OpenAI has made the unfortunate decision to make their app an MS Store app. Users are prompted that “Couldn’t set up agent sandbox with admin permissions”, and they’re met with a vanilla UAC prompt.

Anyway of being able to mass delete users in PRA? E.g. if not authenticated in X amount of days?GUI doesn’t have check boxes to select multiple users to perform bulk tasks. There’s a 5+ sec gap when deleting individual users one buy one and whilst waiting for the user table to refresh, quite tedious!  No automated settings I’m aware of for internal users, whereas vendor users have this option -Will implementing SCIM (SAML only currently) address this or will it only disable users rather than delete?​​​​​​​

Hi All.I have identified two functions that are still missing in PM Cloud, and the available APIs force you into workarounds to accomplish some of these tasks.Moving a list of computer hostnames into a specific group.Overcoming two API hurdles: partial name matching, and the requirement to fetch computer IDs before using the CSV import option—since it does not support hostnames directly. 😖When you need to move computers between groups, doing it manually becomes a tedious process.In the classic Policy Editor MMC Snap-in, we had the advantage of browsing for a file and automatically pulling in its metadata. This capability has not yet been added to PM Cloud either.How have you resolved these options and are there any functions that you see missing in addition?I addressed these gaps, by creating a WebApp that handles both challenges, plus an application scanner for bulk rule uploads.Move Computers to Group allows me to upload a CSV file containing a hostname column with hostnames listed

Hi All, I am working on one requirement which is related to Launching the application from BT Password safe. Application is launching from BT without issue however authentication is failing  as application only accepts the username in lower case . In BT account is domain account and it is in Capital letter and hence we cannot change the case of account .  I am using PS_automate to launch the application. Is there anyway I can change the case of username before application is launched . That will help me to resolve issue Awaiting response here. Need help here please .Regards,Imran Aliyani

The following articles were published last week. New Knowledge Base Articles: KB0021249 - Representative Console login error "All reserved licenses in the license pool are in use" KB0022444 - Can USERID and DATETIMESTAMP be used in the Integration Client recording file format name? KB0022475 - Jump Client prompts for application selection after upgrade despite configuration KB0022520 - API error Unsupported_grant_type KB0022521 - Logout idle representative after Policy stopped working KB0023589 - Remote RDP sessions disconnecting when injecting the same Vault credential KB0023639 - Can the RS or PRA Jump Client be installed using a PKG file? KB0023646 - What is the difference between Remote Jump and Remote RDP Jump? KB0023649 - Can the primary Atlas hostname be changed in Cloud? KB0023654 - Does CVE-2026-20833 affect Remote Support or Privileged Remote Access?