Real Time Authorization
Real Time Authorization allows administrators to remove users from groups while they are logged in with a directory account and use the registry key to perform an additional check to ensure that the user still has access to the password at the time they requested it. This puts the user through the log in process every time a password is requested.
Enable the following registry key to turn on this feature:
HKLM\SOFTWARE\BeyondTrust\PBPS\EnableCheckoutAuthorization
After the user is removed from the group, they receive the following error message when they request password access: Missing required Password Safe role.