Lost user-password, DELETE user and make new one

Hi wardeneers,

an employe fogot his password.
I learned that vaultwarden uses the password for encrypting his data, so there is no feature to reset the password as an admin. so far so god / bad.

But:
when I delete (revoke) the user or use his same email address to make a NEW account, the invitation-Link results in the normal LOGIN-Page (welcome back).
So it seems to be impossible to DELETE a user completely. Email seems to be the primary key in the DB.

Questions:
Any chance to access the SQLiteDB and DELETE a user, giving me the chance to make a NEW one with the old email-address? There are 3 here: db.sqlite3, db.sqlite3-shm, db.sqlite3-wal

There are no passwords in the user’s vault, because we just startet to use vaultwarden for the team. So recovery is not needed. But I do not want to make a 2nd email-account for users, that have problems with the login.

Am i right, that any PW the user stored in a collection is still there? Because the owner of the collection is the company.

Any ideas?

Klaus

1 Like

Have you happened to enable Organization Admin Password Reset by chance?

This is supported in Vaultwarden and the easiest method to reset the user password, I am not aware of there are any additional methods personally


Deleting the user from the Org vault and shared collections will not delete the user in your Vaultwarden instance, this simply removes them from the shared organization and vault items stored in the Organization collections.

I believe you can delete the user via the Admin Page if that is enabled as well.

that sounds easier the manipulating the SQLite db!

I found in the Admin-Console / Settings / Policies:
“Account recovery administration”
there is: “Based on the encryption method, recover accounts when master passwords or trusted devices are forgotten or lost.”

Prerequisite
The single organization Enterprise policy must be turned on before activating this policy.

Warning
Existing accounts with master passwords will require members to self-enroll before administrators can recover their accounts. Automatic enrollment will turn on account recovery for new members.

there are 2 checkboxes:
Turn on
Require new members to be enrolled automatically

Has this any relation to Your suggestion?

There is another option: Remove unlock with PIN (turned off at the moment)
Does this meanm, that there is a 2nd way to Login? Where can I set the PIN?
The only other code I found invitings users is a fingerprint. Its this something else than the PIN?

I am confused…

Klaus

I cannot find this Option. How do I have to activate this?

Best regards

Klaus

I would recommend to enable both the policy and to require new members to enroll automatically if you want to avoid recovery issues in the future.

Unfortunately this requires the user to be added to the Org after this policy is enabled or the user will need to self-enroll if already a member of the Org prior to the policy being enabled.
Should have mentioned that at first but seems you found that notice anyways.

Turning on the Account recovery administration policy will allow owners and admins to use password reset to reset the master password of enrolled users. By default, users will need to self-enroll in password reset, however the automatic enrollment option can be used to force automatic enrollment of invited users.

The Account recovery administration policy is required for your organization to use SSO with trusted devices.

Note
The Single organization policy must be enabled before activating this policy.

So this will not assist if the policy is not currently enabled and the user has forgotten their credentials.

This would not have anything to do with logging in to the user’s account, this simply disables the option for the account to be Unlocked with PIN. I reccomend to lookup and review the differences between Vault Unlock and Vault Login


If the concern here was simply resetting 2FA that can be disabled via the Admin panel, but if they have forgotten their master password likely the only course of action then would be to delete the user from the backend admin panel, and invite the user again to your instance and have them added to your Org.

Otherwise then you may need to edit the DB manually to delete the account.