Checking out managed account passwords

If you are authorized to check out passwords, you can retrieve the password for an account to enable you to log on to a target system. After you retrieve the password, it can remain checked out for a configurable period of time. What happens at the end of the allowed checkout period depends on whether the account password is managed by the Privileged Access Service or unmanaged.

If the password is a managed account password, the password you retrieved expires at the end of the checkout period and the Privileged Access Service automatically generates a new password for the account. If you check in the password before the end of the checkout period, the checkin also automatically generates a new password for the account. You can use policies to configure the maximum number of minutes a password can be checked out and whether multiple administrators can have a password checked out at the same time. You can also extend the password checkout time for a currently checked out password if you need more time to complete your work. With a managed account password, however, the only valid password is the one known and updated by the Privileged Access Service.