Unanswered questions

Hi All,I'm new to PS but have been running RS for over a year now, we export syslog via webhooks on RS and PRA to our Rapid7 SIEM and it is working well, but I cannot seem to get it to work with PS. Any ideas?

Hi all,Im currently exploring the features and benefits of the EPM solution, and I came across the TAP functionality. I have a quick question regarding this.What is the difference between TAP configured under a Workstyle created in Enhanced Security and the TAP policy templates found under Utilities > Template Policies? I could not find any clear explanation in the documentation, or I may have missed it.I would appreciate it if someone could clarify this for me. Thanks. TAP under Workstyle created TAP template policies under Utilities > Template Policies 

Can BeyondTrust Password Safe support strict logical segregation between two departments (Network Division and IT Security Division) within the same Password Safe deployment, ensuring no visibility of assets, accounts, users, or sessions across divisions? Component Network Division IT Security Division PAM Admin Network PAM Admin Security PAM Admin Assets Network devices Security infrastructure Accounts Network privileged accounts Security privileged accounts Users Network engineers Security engineers Policies Network-specific Security-specific Reports Network only Security only Configuration Network Only Security Only

PRA requires a user to login a first time in order to be available in PRA for example to assign vault accounts.Unfortunately this is causing problems with new employees which are onboarded into PRA.Unless they have never logged in, administrators cannot assign personal vault accounts. If the user logs in, and does not see his/her vault account, they create tickets. This is a very large customer and it is difficult to orchestrate / communicate such a process and they would like to automatically provision new users (from AD). How do other customers provision users up-front and define vault accounts, etc. and not depend on a user’s first login?  

hi guys, is there a way to get a list of AD managed systems without linked accounts? thank you

Jump SQL management studio with credential injection on PRA

I have multiple Database admins I need to give access to our database for. We have no resources for PAW or Internal Admin machines. Is it the purpose of Beyondtrust SQL server tunnels to be ran on BYOD device and have them tunnel SQL Studio traffic to my on prem SQL server? Has anyone done this? I believe I have the tunnel up. How do you use Management studio? My “Open datasource Client” is grayed out. How do the credentials work? Do the credentials I use for the tunnel work for everyone using the tunnel? Or do I need to create one tunnel per person? 

I have strange behavior in my PasswordSafe.I am using an application session, and when I try to start an RDP Session / Start Application Session: When using the option to run on a different system with the functional account, it works perfectly. When using the option to run on the current system with the user account, the RDP session does not start. It shows a black screen for some time and then closes. When I checked the logs in the second case, I found the following: INFO: Accepted RDP session 1234 for 1.2.3.4:1234 INFO: RDP Handler 1234 starting INFO: Found RDP certificate: My:.... INFO: Reading self signed cert INFO: (RDP server) Client Security: NLA:1 TLS:1 RDP:0 INFO: (RDP server) Negotiated Security: NLA:0 TLS:1 RDP:0 INFO: (RDP server) Server Security: NLA:0 TLS:1 RDP:0 ERROR: (RDP server) BIO_read returned a system error 0: No error ERROR: (RDP server) transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] ERROR: (RDP) BIO_should_retr

Hi everyone, have any of you implemented High Availability using a proxy server, or worked with customers who have deployed this setup? If so, I’d appreciate hearing about your experience, challenges, and overall results.Please share any relatable articles, would appreciate it. Thanks! 

Hi,I’m trying to find a good way to secure these generic accounts and still to be able to use them as bt- and buadmin are used on a regular basis for updates and support cases. As I have 4 appliances to manage and have high security requirements I’d need to have individual passwords, with regular changes and changes after access for each of them. It would be a challenge to manage the regular changes and make performing regular tasks challenging.I had posted an idea to use the Enterprise Updater as SPOC (Single Point of Control) which would have it’s own credentials and would have an encrypted key based connection to all appliances. From the Updater one could create individual schedules for the updates and unlock/lock them centrally. This would make tracking, planning and handling of updates a lot easier and only one generic user (buadmin) would need to be secured. I’d prefer a personal account though and leaving the generic account as a breaking glas solution. This would only cover the

Hi All, I wanted to check if there is any API available that I can use to retrieve the password of account ? We are using cloud version of Password safe. With my initial analysis , I found there is any API available that can be used to Set password for account But want to understand if there is any API available to retrieve the password as well?Awaiting response .thanks in advance.

Hi everyone,The end users are experiencing delay and slowness when taking RDP sessions through Password Safe on-prem. Usually they have to read logs and commands and the slow and delayed screen output is becoming a hassle for them, resulting in a very poor user experience.After some researching, I found a commonality in the solution that it an issue with the client’s network, however, they are not ready to accept it.According to them, when they take RDP directly from the U-series appliance, the session is much better but from the Web UI, it’s very delayed and slow.Has anyone here encountered an issue like this, if yes, how did you solve it.Thanks in advance.

Hello All, We have created the custom Mainframe platform to onboard the Mainframe account under Password safe. This functionality is working fine . We have a requirement to onboard the shared Ids on the custom Platform wherein one Id will be accessed  by 8 users.  Here we are facing issue that when one user checks out the Id other user gets the error saying “The account is not available during requested time”. I have seen the below KB article which says concurrent session is not available on Custom/Generic platforms and it asks to change the platform type of system to Windows/Linux which is not possible for us .https://beyondtrustcorp.service-now.com/csm?sys_kb_id=cf6c24fc47a2669015c43e7d826d4394&id=kb_article_view&sysparm_rank=2&sysparm_tsqueryId=6c5caa3f47d436501bf1db37536d43b3 My requirement here is , is there any workaround available which we can use from which users can at least  view the password from Password safe for these shared ids ?.  If users can view the passwo

Hi Elevate registry and allow changes only to particular section in registry HKEY_LOCAL_MACHINE\SOFTWARE\xxx and nothing else. So we know we can elevate any .reg files but we need to control because anyone can add anything into the reg file and do changes in registry. So is there any way to do this?

Hi Team,How to block dmg file installation in EPM-M we are unable to block installation for dmg file as well as package installer. The blocking rule is ineffective for application installations, whereas the actions related to allowing or requesting installations are functioning as intended.

Hi All, I would like to know how a user is being assigned to local admin group, via which AD security group or direct. Is there any way we can find this information through password safe A&R reporting service. Current setup is BeyondInsight 24.3.0.1186 Cloud.Br,Mani

Hello Community! I guess at least one people had is problem.Some times depending on the environment (cloud or on-prem) when we are just navigating between the menus, when we click to go to configuration, smart rules or any other menu, simply the Webconsole gets logged out.Other scenario is when we are using the webconsole and stops to user for few seconds (and really is few seconds) and appears the message "will be logged out soon/extend session"Have someone get this case? If yes, exists a reason for that and consequently the fix for that?Obs: in System > Site Options > Session: the time for Session Timout is already on a high time.Regards,Felipe 

We have several systems that, when viewing analytics/events there is no event activity reported on these systems. Yet if we view them in our RMM tool we see plenty of activity that should be appearing in analytics/events. What would be the best steps to take to address this issue?

Hi team,We have onboarded WINSCP as application in Beyondtrust password safe (cloud).  We are facing one challenge here where after application is launched using functional account , how can user transfer file from his local machine to RDS server. As WINSCP is launched to connect to target linux server , I want to understand since the file will be at user local machine , how can user move it to target linux system.I am sending the winscp application screen shot for reference . Awaiting response. Thanks in advance .Regards,Imran Aliyani

We are using a SmartRule with the Selection Attribute Criteria “Directory Attribute Match” using the employeeID attribute to map privileged account as dedicated account for a user only. This all works fine but we are worried if somehow the source system (e.g. AD) is messing with the data of this attribute employeeID, e.g. deleting the value (e.g. AD Admin not aware of that field, doing cleanup, etc.) or being tampered. This privileged acount then would be exposed to all the users (with access to that Managed Account group). How can this be prevented or found/reported which accounts may have an issue. I understand data quality is key here but with such a highly security related topic of privileged accounts one always has to assume that the source (AD) might be wrong and counter-measures must be possible on both side (source and consumer, i.e. PasswordSafe)

A client, and myself, all have the same error on our Azure connector: Unable to access Platform Environments: Insufficient privileges. Unable to access Platform Admin Applications: Insufficient privilegesIs anyone else seeing this issue? Bit of coincidence that we have this in three seperate sites. 

Hi Team,We’ve a use case as mentioned below:a user initiated a web jump from BT PRA to vSphere portal and was logged in successfully. Within the vSphere portal, user selects a VM wherein vSphere gives 2 types of logins- 1.Remote & 2.Web Console. User selects web console access which then launches a new tab within the Jump Item requiring password to be entered again. The key option is disabled and looking for suggestions to enable it.  

So, I’ve attempted this multiple times and took a short break to clear my head. Cannot seem to get this wrapped up, and it’s a necessity. Hi, I’m Robert and I’m a Security Engineer for my company. Part of my portfolio is Enterprise Software Management via Intune. I manage all software deployments for the company on a tenant level, using assignment groups to make certain apps available to pertinent groups. Over the past 3 years, I’ve learned a lot where Intune deployments and the Windows OS intersect. I’m still on the learning path, but I’m figuring out the nuances, the lowest common denominators and getting better at troubleshooting issues. This is where things get complicated: 100% of my experience in this arena is Windows 10 / Windows 11 based. And we now have a very small fleet (<10 devices) of Mac devices for our Marketing team. Now, I’ve tried everything I can find online, but the documentation on how to pull this off via Intune is scarce and incomplete. Reddit has been the mos

Hello Beekeeper Community,I’m curious to hear how others handle the following:Onboarding:easy: AD query, smart rules, and we have managed account. Offboarding:When a managed account deleted from AD , the password can’t locate the user. Also, there doesn’t seem to be a smart rule capability to identify which accounts are in Password Safe and which are not, to help with automated cleanup and management.How do you manage this process? Any tips or best practices would be appreciated!Regards,Maulik

Hi Beekepr ,  Does Password safe support password rotation base on managed asset /application session instead of time-based interval. Regards,Maulik