Unanswered questions

I’m trying to see if it’s possible to utilize an SSH client manager like SuperPutty or mRemoteNG for managing SSH sessions that use SAML authentication.  We can not use the Direct Connect feature due to SAML being token based.  Any guidance would be greatly appreciated.

Hello,We have a on-demand rule for Command prompt for a set of users . This rule allows running of child processes with Basic Admin token for Windows Command Prompt - Run-As-Admin action.For same set of users , when they try to install another application using Run-As-Admin option , based on quick-start rules it gets Admin token which gets applied to child processes as well. But at one point in installation Command Prompt is launched by the installer , this results in additional prompt for the user . Logs show that it is hitting the Command Prompt on-demand rule. I think as the application is triggering the Command Prompt and it has application name as parent process, it should ideally get the admin token and not hit the CMD on-demand rule ?

Hi All,I'm provisioning a new on-prem BeyondTrust Password Safe to test the reporting and analytics features on BeyondInsight 25.1.1.The issue is that the Domain section shows 'This list contains no data,' which prevents me from proceeding with report generation.Did I miss a necessary configuration step? Any help with this issue is appreciated.Thanks. 

Hi Everyone, Has everyone encountered any impact regarding the cached credential on Linux servers with AD Bridge installed? Particularly if the cached credential is managed by Password Safe and is being rotated regularly?  Thanks!

Hello Everyone,I’m working on password rotation for a custom (unsupported) application using the BeyondTrust Password Safe Cloud REST API. Before proceeding, I want to confirm whether such an application can be integrated for automated password rotation.Can someone clarify:What technical criteria or parameters must a custom application support in order to be compatible with Password Safe Cloud’s REST API-based password rotation?For example: Required authentication methods? Connectivity or protocol requirements? Ability to expose credentials or respond to rotation workflows? Any mandatory fields/settings needed in Password Safe for custom platforms? Any limitations or known restrictions for cloud API rotations? Any guidance or examples from your experience would be greatly appreciated.Thanks!

Hi All, I am onboarding Toad in BeyondTrust Password Safe. If anyone has done this before, could you please share the .ini or .au3 file you used for passing connection details? Thanks in advance. 

So, been getting repeated ongoing asks from our Compliance Team, and this is their ask: for a specific Managed Account, produce a report of every user that can access that credential? Anyone ever been able to pull that off? Using Analytics would be fine, just have not been able to find a report like that.

Hi everyone,Can you please help me understand how to create the custom reports for On-Prem Password Safe. I tried the Pivot Grids feature and it is not much helpful. Thanks,

I am getting an invalid credential when launching a web application. I tested the managed account and password is correct but when I inject this using the ps_automate, it comes up with an invalid credential. I have also added the “FixupPassword=1” under the General section since my password contains spaces. Anything I am missing here or should be trying out? 2025/11/04 13:56:52 [TaskSequence1] BEGIN2025/11/04 13:56:52 [Function] execute_task_sequence_webapp (TaskSequence1)2025/11/04 13:56:52 [TaskSequence1] [INI] WaitLoginWindowDelay=02025/11/04 13:56:52 [TaskSequence1] [INI] XPathElement=//*[@id="username"]2025/11/04 13:56:52 [TaskSequence1] [INI] XPathValue=%username%2025/11/04 13:56:52 [TaskSequence1] [INI] XPathAction=2025/11/04 13:56:52 [Function] insert_custom_strings (*MASKED*)2025/11/04 13:56:52 [Custom string] username2025/11/04 13:56:52 [TaskSequence1] END2025/11/04 13:56:54 [TaskSequence2] BEGIN2025/11/04 13:56:54 [Function] execute_task_sequence_webapp (TaskSequence2)2025/1

We have a requirement in our environment wherein we want to restrict users from modifying certain registry keys/ hives. We want to know:whether we can enforce this using EPM policies or do we need to use group policies for this?Will EPM Policy be able to block users from modifying registry values within their respective endpoints? Can Avecto Defendpoint Service identify such events related to registry modifications i.e. will we see event logs (in Event Viewer and BT EPM cloud console) related to every unique registry key/ hive?

Hello,We are using the secret safe api to pull secrets and plug them into our applications. When testing our script in  PowerShell it works, however, in Python, we are seeing a 404 error. Any idea? Our RunAs user is a domain account. TIA!

We setup the System Event Viewer in the WebConsole for reviewing appliance logs centrally.After doing so, we saw the database balloon in size, it appears the purge settings were not operating successfully.Does anyone know how this purge is supposed to work?Is there a daily scheduled action that runs? A scheduled overnight job? Or is the purge expected to continually happen such that only the last X days of data is retained?

Hi team, We have one windows non domain joined server on which functional test is failing  password rotation of managed account is failing We are getting below error when password test is tried Error(64): The specified network name is no longer available. We tried to RDP managed server from Resource Broker using functional account and it is working fine . All relevant ports(3389,445, 135) for the server from resource broker is successful.  We have followed the KB article : KB0020487 and KB0020498 and all the recommended steps are in place. Functional account also have the admin permission as recommended by product. Still the issue persist.  If anyone has seen similar issue and was able to resolve, please let me know .  If any additional information is needed for this issue, please let me know .  Awaiting response. thank in advance.Regards,Imran Aliyani

Hi All, The /appliance page is stuck after entering admin credentials and hitting login. Is there any solution to it or troubleshooting steps that can be performed. Problem:/webconsole is working as expected, /appliance fails to load after entering credentials, the webpage is stuck on the login window. Checked below:1. Inspected Browser Network logs2. IIS Logs3. Appliance Gateway Service logs4. Performed IISRESET, didn't work.

Hi Beekepr ,  Does Password safe support password rotation base on managed asset /application session instead of time-based interval. Regards,Maulik

Hello, we have a need to create a known managed account ( this is a local account on system) for multiple systems along with password. We do not want to rotate this password and is same across these systems. (This will not be used unless break-glass scenarios and has approvals + alerting configured). I am looking for a way to automatically sync the password.  I am able to create the account on newly onboarded system using managed system smart rule but can’t set the password.For subscriber/sync accounts , I think it requires Auto Password Management enabled .To do it via API , I think I will need to fetch the cred and send it back from an endpoint running the script. We want to avoid this and manage it within PS or the appliance.Is there a way to trigger this via smart rules . The managed system will be created using API and account created using smart rule. 

Does anyone here have experience with this issue with the PasswordSafe service? After updating to BI version 25.1.1, all of a sudden the services were not able to start. I also check the event viewer, and it says there was a missing DLL. as shown in the screenshot: 

Hello Is it possible to disable the personal folder in secret safe? can btadmin see the secrets in personal folder? If a user stores in personal folder , and the user leaves organization, we still need to be able to fetch the secrets saved by the user for the enterprise applications. So can we not show personal folders and only show the safes we create for the users?

In an on-premises Password Safe and PRA environment using the PASM model:I have two jumppoint clusters in PRA.Is it possible to configure certain servers, for example, the production area, to establish connections through the PRD jumppoint cluster, and for development servers, to establish connections through the QA jumppoint cluster?Could you please guide me on whether I should create multiple workgroups in Password Safe and configure them in PRA, and if so, how?Thank you.

Hello we are on PRA 24.3.4. I see that now we cannot install multiple jump clients on same machine. We have a use case where users have multiple computers (laptop\workstations) and use PRA to connect to those. For provisioning, we had made the Personal jump client option available per user and they were instructed to download client under their PRA login and install on their machine. Same machine has second instance of client which is pushed via SCCM. This is for IT support use case. Now that the multiple installations are not working , we need to find a way to copy existing jump client when a new user requests this type of access. We already have large number of computers and groups which are handled by API , trying to figure out a way to copy existing client when new users gets access to personal Jump item. Anyone else faced similar challenge any suggestions

Hi, I need to analyze all event logs and see which ones belong to end users who used privileged elevations to categorize them into the high-flex category. The filters in the Analytics tab seem limited and there are a lot of event logs.How can I quickly go about identifying which users belong in the high flex category?  Thanks all!

Hi All,In PRA, we have a SAML security provider configured for user authentication and provisioning. User will only be provisioned when they first-time logged in.Is there anyway we can pre-provision the users by LDAP/AD Group synchronization similar functionality as Password Safe (without using SCIM). Thanks, 

Hi everyone,We’re currently working on implementing BeyondTrust Password Safe Cloud in a multi-tiered architecture and are looking for detailed documentation or a white paper that outlines recommended setup for Data Center (DC), Disaster Recovery (DR), and UAT environments.If anyone has access to or has previously received the official BeyondTrust Password Safe Cloud architecture white paper ?Appreciate any pointers from the community 🙏

Hi Everyone , For our Password Safe cloud instance,  We have created the Mainframe system and onboarded the accounts on it . On this account under password safe, we have enabled check password and enabled “reset password on mismatch” option.However when the password of account is changed outside of Password Safe i. e directly on Mainframe system, at that time , even though reset password on mismatch is enabled on account under password safe, doesn’t trigger the password change option and hence password remain mismatched unless Admin reset is manually .My requirement , If password of account managed in password safe, gets changed outside of BT, then password should get reset under BT as well. At any given point , BT should have the correct password .Can anyone please let me know how to achieve this? With current setup I have done , what’s the thing I am missing ? Thanks in Advance. Regards,Imran

You can enable in Authentication Option that all new users are enabled with TOTP. but those accounts that are already synced, they are not affected by that setting, is there a smart way to do this then to open up 200 account and enable TOTP on each of them?