AnsweredAssumed Answered

Problem viewing account passwords after reaching their checkout expiration

Question asked by klauspm on Mar 5, 2014
Latest reply on Mar 10, 2014 by Chris_Hackett
We've got slightly over 100,000 Windows Workstation local administrator accounts vaulted now (Windows Agentless Endpoints using a 'special' domain account to administer them).  I set them up for exclusive checkouts with a 1440 minute expiration (the example below has a 10 minute expiration for testing purposes).  I also have them configured to change the password on checkin (but not on checkout).  For the most part this works pretty well except we're finding that we have several hundred accounts 'stuck' in exclusive checkout.  These are accounts that were checked out when the client was broken (eg. fell off the domain and need to be rejoined).  Once rejoined, the ContolMinder typically successfully resets the password within 24 hours, but in some cases, the client doesn't get fixed and ControlMinder can't connect to them to reset the password (we use a domain account for ControlMinder to administer these clients). 
This wouldn't really be much of an issue except for the fact that after that 24 hour checkout period is done, ControlMinder won't let the user 'View' the password anymore.  They get an error stating "Operation failed to complete. Check in the account password and check out the password again."  I understand why this error message comes up, but would rather let our users still view the password even though ControlMinder is actively trying to reset it (it just can't because the client is still broken).  I can still view password history for these accounts, but I don't want to give that privilege to my users.  Any ideas?  Any way to suppress that message and allow them to view the passwords?  Any way to take off the 'Exclusive Checked Out' status if ControlMinder isn't successful at checking it back in (I think I figured out how to by manipulating some database tables, but that's not ideal)? 
(sorry, this was kind of wordy, probably should open a ticket on this - I also confirmed this is the case for 12.6, 12.7, and 12.8)