User Management and Lifecycle
Managing users and lifecycles in the Keeper Admin Console
Searching for a User
Clicking on the Search field will open a dynamic search tool that searches across Nodes, Roles, Teams and Users. The search feature uses a fuzzy searching mechanism to find the best match.
Click on the headers (Nodes, Roles, Teams, Users) to filter the results.
User Detail Screen
Once a user has been added, the Administrator can edit or make changes to a user's profile. By selecting the user that you want to modify from the Users tab, you will notice what user details can be edited, such as Name, Roles, or Team.
User Status
Users can be in one several states: Invited, Active, Locked, and Locked by IdP.
Invited
User has been invited to join Keeper but has not completed their account setup yet. User can be re-sent the invitation by selecting the Resend Invite button.
Active
User has created their Keeper account and joined the organization.
Locked by IdP
User has been disabled by the linked identity provider such as Active Directory or Entra ID.
Locked
User has been suspended (either manually by selecting the Lock Account button or automatically via AD Bridge or SCIM). To manually lock a user account, select the Lock Account button.
User Actions
Additional user actions can be performed from the Edit User dialog.
Edit a user
Change the name of the user.
Disable 2FA
Disable the user's second factor authorization (2FA).
Transfer Account
If Account Transfer is active for the user's role and the currently logged-in administrator has the Administrative Permission to perform a transfer, this action will move all records and shared folders from the user's account to a destination user account. The account must first be locked before you can perform a transfer. After the transfer is completed, the user account is deleted. More information on the Transfer Account action is detailed throughout this guide.
Delete User
Delete the user account.
Note: this action cannot be undone and has serious consequences: 1. All of this user's owned vault records will be immediately deleted, and they will be removed from all Roles, Nodes and Teams. 2. Any unshared records created by the user are deleted. 3. Any records shared from this user to other users will continue to be shared and will become "ownerless". Contact Keeper Support if you have questions regarding claiming ownerless records.
Lock Account
To suspend an account and prevent the user from accessing their Vault, you can simply lock their account. This retains the user's owned records but blocks their access to their Keeper Vault. Any records and Shared Folders created by that user will still be accessible to other shared users and teams.
Expire Master Password
Expire a user's Master Password outside of the enforcement policy periodicity. This functionality allows the administrator to specifically target a user to rotate their Master Password if a potential compromise is suspected. Please note, the user must first authenticate with their current Master Password, after which they will be promoted to create a new Master Password.
Resend Invite
If a user has been invited to join Keeper but has not yet completed their account setup, you can re-send their invitation to join.
Reset Security Score
Reset the stored calculations of the user's security score. Upon their next login on the Web Vault or Desktop App, the user's security scores will be re-calculated.
Email Changes
Email addresses can be edited by the Keeper Admin through the user interface or through the Commander CLI. For security reasons, emails can only be changed to domains which are reserved to the tenant. Learn more about domain reservation.
Commander CLI
Manage users from the command line using the Keeper Commander CLI tool.
Relevant commands:
For more information see our Keeper Commander Documentation.
Last updated
Was this helpful?