# User Management and Lifecycle ## Searching for a User Clicking on the Search field will open a dynamic search tool that searches across Nodes, Roles, Teams and Users. The search feature uses a fuzzy searching mechanism to find the best match.

Click on the headers (Nodes, Roles, Teams, Users) to filter the results.

## User Detail Screen Once a user has been added, the Administrator can edit or make changes to a user's profile. By selecting the user that you want to modify from the Users tab, you will notice what user details can be edited, such as Name, Roles, or Team.

## User Status Users can be in one several states: **Invited**, **Active**, **Locked**, and **Locked by IdP**. | Status | Description | | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Invited | User has been invited to join Keeper but has not completed their account setup yet. User can be re-sent the invitation by selecting the **Resend Invite** button. | | Active | User has created their Keeper account and joined the organization. | | Locked by IdP | User has been disabled by the linked identity provider such as Active Directory or Entra ID. | | Locked | User has been suspended (either manually by selecting the Lock Account button or automatically via AD Bridge or SCIM). To manually lock a user account, select the **Lock Account** button. | ## User Actions Additional user actions can be performed from the **Edit User** dialog. | Action | Description | | :--------------------: | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Edit a user | Change the name of the user. | | Disable 2FA | Disable the user's second factor authorization (2FA). | | Transfer Account | If Account Transfer is active for the user's role and the currently logged-in administrator has the Administrative Permission to perform a transfer, this action will move all records and shared folders from the user's account to a destination user account. The account must first be locked before you can perform a transfer. After the transfer is completed, the user account is deleted. More information on the Transfer Account action is detailed throughout this guide. | | Delete User |

Delete the user account.

Note: this action cannot be undone and has serious consequences:

1. All of this user's owned vault records will be immediately deleted, and they will be removed from all Roles, Nodes and Teams.
2. Any unshared records created by the user are deleted.
3. Any records shared from this user to other users will continue to be shared and will become "ownerless". Contact Keeper Support if you have questions regarding claiming ownerless records.

| | Lock Account | To suspend an account and prevent the user from accessing their Vault, you can simply lock their account. This retains the user's owned records but blocks their access to their Keeper Vault. Any records and Shared Folders created by that user will still be accessible to other shared users and teams. | | Expire Master Password |

Expire a user's Master Password outside of the enforcement policy periodicity. This functionality allows the administrator to specifically target a user to rotate their Master Password if a potential compromise is suspected.
Please note, the user must first authenticate with their current Master Password, after which they will be promoted to create a new Master Password.

| | Resend Invite | If a user has been invited to join Keeper but has not yet completed their account setup, you can re-send their invitation to join. | | Reset Security Score | Reset the stored calculations of the user's security score. Upon their next login on the Web Vault or Desktop App, the user's security scores will be re-calculated. | ### Email Changes The email address of an invited user can be changed using either Admin Console or Commander CLI. Once a user becomes active, their email address cannot be changed from Admin Console. For active users, email address changes can only be performed using Commander CLI. For security reasons, emails can only be changed to domains which are reserved to the tenant. Learn more about [domain reservation](https://docs.keeper.io/en/enterprise-guide/domain-reservation).

### Commander CLI Manage users from the command line using the [Keeper Commander CLI](https://docs.keeper.io/keeperpam/commander-cli/overview) tool. Relevant commands: * [`enterprise-user`](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#enterprise-user-command) * [`enterprise-info`](https://docs.keeper.io/keeperpam/commander-cli/command-reference/enterprise-management-commands#enterprise-info-command) * [`user-report`](https://docs.keeper.io/keeperpam/commander-cli/command-reference/reporting-commands#user-report-command) For more information see our [Keeper Commander Documentation](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/sharing-commands#one-time-share-command).