Vault Professional offers the ability to make use of Active Directory (AD) accounts in your Windows domain. There are several aspects of this that are worth discussing. Many companies use local accounts in Vault to manage their users’ access. One of the drawbacks is that user passwords are not enforced, nor are they required to be updated. For some, this is not acceptable. Vault Professional supports using the users’ accounts in Windows Active Directory as a better way to manage this.
Within Vault’s ADMS console, go to Tools – Administration. This will open the global settings dialog box and display the Security tab, containing users, groups, and roles. You can also open the Vault full client and go to Tools – Administration – Global Settings.


As I mentioned, you can create user accounts that are internal to Vault and are entirely managed by Vault. The alternative is to import the accounts from Active Directory. Use the “Import Domain User” under Actions. Type in the user account name and use “Check Names” to verify that this is the desired person. Multiple users can be imported by separating the IDs with semicolons.

A big benefit to this process is that it brings in the user’s ID, first and last name, as well as their email address. It also reads the user’s Windows password, so that the user does not have to maintain an additional password for access to Vault. When the user logs into the vault client, his credentials are verified against his AD account. Changing your Windows password is recognized by Vault, reducing the amount of administrative maintenance needed. The level of complexity of passwords carries through from Windows, providing the level of security your company requires.
Are there any negatives to this process? I will offer one. Some companies set up their Active Directory with user IDs that have no relationship to the user’s name. For example, a company may assign your Windows account ID as a six-digit number. This will import into vault as that same six-digit number, so that any reference to my actions in vault will be listed by that same number. I will recognize it as my number, but my colleagues may not. I will need to acquire a listing of those employees’ IDs and names to cross reference, so that I can tell who did what in the vault.
Importing users can be simplified if you set up a group in Active Directory of Vault users. In the Group section of Vault, use the command “Import Domain Group” to import a group from Active Directory. This will automatically import all the users within the group. Take care when using this command. You can easily import a group of the entire staff at your company, which may import many more users that you intended. And, once you have created a user account, it cannot be deleted.

Another important concept to address here is promotion and demotion. I see existing installations that contain multiple accounts for the same user, some local and some AD accounts. While there is a place for a user having a ‘normal’ user account and an ‘admin’ user account, having multiple accounts should otherwise be discouraged. It is confusing and offers additional security risks. What you can do, if you already have local accounts in vault, is to promote those accounts to AD accounts. This is managed individually, but will take very little time to change. Select a local user account and use the command “Promote to Domain User”. Again, it will prompt you with the AD lookup dialog, check the name, and you will have promoted the local account to a domain account.

Conversely, if you find a reason to have a user use a local account, you can select the domain account and use the command “Demote Domain User”. This will simply switch the account back to a local account, with all the settings remaining intact (first and last name, email address, and password the same as AD). In this case, a change to your Windows password will not be updated in your local Vault account.
A last word of warning. It is unwise to rename local accounts in vault. If you create an account for a temporary employee, and then try to reuse that account for the next temporary employee, you will find that after changing the account from ‘Tom’ to ‘Mike’ the vault will now show Mike as having performed all the work that Tom had done as well. I recommend disabling a user’s account when they leave the company and creating a new account for a new employee. You can sort the employee listing by the ‘Enabled’ column to put all the disabled accounts at the bottom of the list.
Using your Windows account is easy. When you reach the login box, set the pull down at the top to “Windows Account”. You will notice that your user ID and password are disabled (grayed out). This is because it is reading in your credentials from your domain account, and as such you cannot log in as someone else, only as who you logged in as within Windows.

If you check the box to ‘Automatically log in next session’, it will always reread your Windows credentials and take you right into that vault session.