Disabling Local Vault via Admin Enforcement on Windows

Disabling on Installation

If you are installing Verify Privilege Vault Remote for the first time or local vault was previously disabled, follow the instructions below: 

  1. Install Verify Privilege Vault Remote version 2.6 or newer via quiet mode.

    Copy 
    IBMSecurityVerify.PrivilegeVaultRemote.msi /quiet RUNCM=runCM KEYS="-disablelocalvault "

  2. Open the Verify Privilege Vault Remote registry, which can be found via the following path: 

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\IBMSecurity\IBM Security Verify Privilege Vault Remote

  3. Open the AdminConfig folder inside the Verify Privilege Vault Remote folder.

  4. Inside the AdminConfig folder, you will see a DisableLocalVault setting. By default, this setting is set to n, meaning that local vault is enabled for local users.

  5. Change this value to y to disable local vault for all users.

    If users already had existing local vaults created, they will be able to continue using them after this setting is applied.

Backing Up and Disabling Existing Local Vaults

If users already had an existing local vault created, administrators can disable these local vaults, before or after installation, by following these steps: 

  1. Open the Verify Privilege Vault Remote registry, which can be found via the following path: 

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\IBMSecurity\IBM Security Verify Privilege Vault Remote

  2. Change the value to fy

  3. When users launch Verify Privilege Vault Remote, they will need to enter the password to the local vault and they will see a message that their local vault was disabled by administrator.

The local vault option in the left side navigation will be disabled for all users and a backup for the .dat file will be automatically created. This setting will take effect when Verify Privilege Vault Remote is relaunched.

Re-Enabling Local Vault After Disabling

Administrators can centrally re-enable local vaults by following the steps below: 

  1. Change the value in the Registry to n or delete this value altogether.

  2. In the Main Menu left-side navigation click Enable Local Vault.

  3. Delete the current ConnectionManager.dat file.

  4. Rename the backup file ConnectionManager.dat.bak to ConnectionManager.dat.