In the event of a user forgetting their master password, the normal recovery procedure is for the user to select "Need Help?"-> "Forgot Master Password" from the Web Vault or Desktop App login screen. This allows end users a self-service reset by answering their custom security question and answer. In the event a user never setup or forgot their custom security answer, "Vault Transfer" can be used to recover the account. This assumes vault transfer was configured and accepted by the end user prior to getting locked out.
Add / create a temporary user to assist in the account transfer.
Add the temporary user to the same vault transfer role as the locked-out user.
Log into the temporary user's web vault and accept the transfer agrement. Logging in will also move the user from "invited / pending" to an "active" status.
Log out of the temporary user's web vault.
Log into the Admin Console.
Inspect / document the locked out users role and team memberships. This information will be needed to re-create the account
Perform a vault transfer of the locked-out user to the new temporary user. The original account will be deleted as part of the transfer operation.
Re-create the original locked-out user account. An email will be sent to the user inviting them to the platform instance.
Have the user login once so they are moved from an "Invited" to an "Active" status.
Once the user is in an "active" status, add the user to the role which has vault transfer enabled. At this point in time, you can add them to any other required team and or role memberships.
Have the user log back into their vault and accept the vault transfer agreement. This step can be skipped if your vault transfer policy belongs to a role with "Add role to new users created in this Node and Sub nodes" enabled.
Within the Admin Console, transfer the temporary user's vault back to the original account.
Details on the vault transfer procedure are available here: https://docs.keeper.io/enterprise-guide/account-transfer-policy.