Privileged Identity Disconnected Account Management

Privileged Identity helps you to establish a base of knowledge regarding the systems and devices in your network, to identify what accounts are on those systems and devices, and to enable ongoing password or SSH key rotation for those accounts. For proactive discovery and management of systems, the target systems need to be online and have network connectivity with Privileged Identity. However, many users work offline on a regular basis, making this proactive management difficult at best.

To solve this problem, we offer disconnected account management. Disconnected account management (DAM) allows you to continue password randomization on systems that do not regularly connect to the network. With the elevation feature, privileged users can have access to offline systems with the confidence that the admin account will have continued randomized passwords on a scheduled basis.

Disconnected account management generates cryptographically secure secret data on the server that hosts the web service. Machines managed by DAM never really need to connect to the network. They must, however, establish a connection to the web service on a scheduled basis.

Each client endpoint pulls a shared secret from the web service, as well as password policy settings. Both the clients and the server use the same one-way hashing algorithms and the same secret data to derive a series of passwords for local accounts. Because the endpoints and the server share the same settings, they can both at any time calculate the derived current password from the known secret, even if they are not connected.

DAM never stores passwords. Instead, it regularly derives new passwords from the cryptographically secure secret data. You can set the criteria for this data, determining the frequency of new passwords, custom characters, password length, and frequency of shared secret changes. When scheduled, the web service updates the shared secret on the DAM-managed system, and the cycle of deriving a new password repeats. This process helps mitigate the risk of pass-the-hash attacks, and it helps to avoid lateral escalation scenarios.


Disconnected account management is a licensed feature of Privileged Identity. To purchase a DAM license, please contact your BeyondTrust Sales rep.