General settings

This topic describes how to configure the general settings for the PSM.


In Web Access Options, the General Settings parameters in the Privileged Session Management section define how the PSM functions.

These parameters are divided into the following groups:

General Setting > Parameter Name PSM capability

Search properties

Define the password and recording properties that can be used to search for session recordings.

Search properties

Server settings

Define the general PSM server settings.

Server settings

Configure the PSM log files.

Configure privileged sessions

Session settings

Define single sessions and the way that PSM handles recordings that cannot be uploaded to the Vault.

Configure privileged sessions
Upload recorded sessions to the Vault

Recorder settings

Configure the session recorder

Manage recording sessions

Connection client settings

Configure connection clients.

Configure PSM server details

Search properties

The parameters in SearchProperties define the password and recording properties that can be used to search for session recordings.




Specifies the maximum number of session recordings that are included in the recordings search results.

Default: 1000


Defines the recording properties that are searched.


Define the password properties that are searched.

Server settings

Define the general PSM server settings.




Specifies the maximum number of allowed concurrent PSM sessions.

To achieve best performance for user sessions, set a maximum number of concurrent sessions that is appropriate to the size of your PSM implementation.

For details about the maximum number of concurrent sessions that is supported for different PSM implementations, see System Requirements for PSM.


Specifies the maximum number of allowed concurrent processes to upload recording files to the Vault.


Specifies the interval in seconds between each configuration refresh process.


The number of days between processes that clear user profiles.

Specify '0' (zero) to disable.

Default: 30


(under Advanced Settings)

Determines whether or not a crash dump is created when a system error occurs.


(under Advanced Settings)

Specifies the maximum time in seconds to wait for internal jobs to finish when shutting down the server.


(under Advanced Settings)

For PSM for Windows: When using RADIUS authentication in CyberArk, where the RADIUS server is configured to work with LDAP, this parameter determines whether or not PSM requires the user to authenticate again after network level authentication (NLA).


(under Advanced Settings)

The default Smart Card authentication is based on PKI with Distinguished Name (DN). This parameter configures the authentication to be based on PKI with Principal Name (PKI\PN).

Enable ticketing system integration

This section describes how to enable ticketing system integration in PSM.

To enable the ticketing system integration with an RDP direct connection, connect to PrivateArk and add partial impersonation permissions to all PVWAGWAccounts.

  1. Go to Tools > Administrative Tools > Users and Groups and select the user.

  2. Click Update > General and select Provide partial impersonation.

For details, see Manage users.

For each new PVWA installed, make sure to provide the required permissions to the GW account.

Clean the Shadow user profile

This section describes how to configure PSM to clean Shadow user profiles.

When users initiate a connection (session) to a target machine via PSM, a PSM Shadow user is automatically created on the PSM machine and that's the user that is used to log on to the target machine and perform actions.

The purpose of the Shadow user is to isolate the session. This enables programs launched on the same server by different Vault users to run under different identities without the risk of information leaking between these sessions.

During the established session, some information is saved in the Shadow user profile, which can ultimately fill up the PSM server's storage.

PSM includes an automatic cleanup process in order to manage the PSM server's storage space. You can change the default settings, such as the threshold of the Shadow user profile folder size or which subfolders to empty.

For the full list of settings, see Shadow user profile settings.

When the user profile folder exceeds the set threshold, the end user receives a warning at the beginning of the session.

To modify the default settings of the Shadow user profile:

  1. In the PVWA , click Administration> Options.

  2. Go to Privileged Session Management > General Settings > Server Settings.

  3. Right-click Server Settings and select Add User Profile Settings.


If your PSM servers are 11.6 or earlier versions, you need to restart them after you add this section.

Shadow user profile settings

The following table includes the Shadow user profile settings.




The Shadow user profile folder on the PSM machine is limited in size. Set this parameter to define the threshold in MB. When the folder exceeds the threshold, a message is displayed to the user at the beginning of each session.

Default: 100


When the Shadow user profile folder exceeds the UserProfileThreshold, the corresponding user's session responds according to the following:

  • Notify - A message is displayed to the user at the beginning of the session

  • Terminate - A message is displayed to the user at the beginning of the session and the session is terminated

  • Off - The Shadow user profile folder is not examined at the beginning of the session and there is no notification

Default: Notify


Default Value Notify
Description The message displayed to the user at the beginning of a session when the Shadow user profile folder on the PSM machine exceeds the UserProfileThreshold.
Acceptable Values String
Default Value

User profile storage space has been exceeded. Please contact your administrator


Define an interval (in hours) when all Shadow user profile folders are cleaned. Shadow user profile folders are cleaned when 70% of the UserProfileThreshold is reached.

Use '0' to disable cleanup.

Use '0' to disable cleanup.

Default: 24


The Shadow user profile folders to be cleaned.

Use '-' to entirely remove the Shadow User from the PSM machine.

Default: Desktop, Documents, Downloads, Favorites, Links, Music, Pictures, Saved Games, Videos


The timeout (in seconds) for every Shadow user profile folder removal. If the timeout is reached before the folder is deleted, PSM will try to delete the folder at the next CleanupInterval.

Default: 120

Configure privileged sessions

The following parameters in Session Settings configure privileged sessions:




This parameter determines the maximum duration of the session, in minutes. This can be specified as a general PSM parameter or in a specific platform.

When users log off from the remote Windows machine, the sessions on both the PSM and the remote machine are ended. However, when users disconnect the session by clicking Close or if the MaxSessionDuration parameter has expired, the PSM session is automatically ended, but the session on the remote machine continues running. The next time they log onto the same remote machine through the PSM, they will continue the same session as before. To prevent this, make sure that the Terminal Server is configured to end disconnect sessions after a specific time period.


Determines whether to enforce the Timeframe set in the Dual Control request on the PSM connection.

If the parameter is set to Yes, PSM sessions are terminated at the end of the Timeframe or at the end of the MaxSessionDuration, whichever is sooner.

The user receives a notification before the session is terminated. The timing of the warning is based on the WarningDisconnectionInterval value .


This parameter specifies the number of minutes before the user’s session will be disconnected that a warning message about the disconnection will be displayed.


The parameter specifies the maximum number of seconds that end user messages will be displayed.

Upload recorded sessions to the Vault

The following parameters in Session Settings determine how the PSM handles retries when the Vault is not available and recordings cannot be uploaded.




This parameter specifies the delay in seconds between upload retries to the Vault.


This parameter specifies the maximum number of uploading retries to the Vault.

Manage recording sessions

The following parameters, in Recorder Settings, define how the PSM will manage recordings:




This parameter dynamically adjusts the frames per second rate of the PSM video recorder to decrease the performance impact. This may result in reduced quality when playing the recorded videos.


The deprecated EnableDynamicFPS parameter in the basic_psm.ini file on the PSM overrides this parameter.

The basic_psm.ini file is found in the PSM installation folder. By default, this is C:\Program Files (x86)\CyberArk\PSM.


This parameter specifies number of frames to capture per second. The default value is 3.

This parameter is used only when EnableDynamicFramesPerSecond is set to No.


This parameter specifies the name of the local folder where recordings are saved until they are uploaded to the Vault. By default, recordings are temporarily stored in the PSM installation folder.


PSM 12.2 and higher uses a local configuration for the PSM Recordings folder. See RecordingsDirectory.

Configure the PSM Log Files

The types of messages included in the PSM log files are determined by the TraceLevels parameters in the Connection Client Settings, as follows:

The PSMTrace.log is configured by the following parameters in Server Settings:




This parameter defines the maximum size in MB of the log file before it is rotated to another location, and a new log file is started.


This parameter sets the debug level of the PSM Server.

A new log file is created for each session for the recorder and the connection client. The trace levels for these files are specified in the following parameters:




The <SessionID>.Recorder.log is configured in the Recorder Settings.

<SessionID>.<connection client >.log

The <SessionID>.<connection client >.log is configured in the Connection Client Settings.

For more information about logging for the PSM Recorder, refer to PSM activity logs.

Configure PSM server details

The PSM server connection details determine how the PVWA will access the PSM server. You can configure as many PSM servers as you need.

The following parameters in the Configured PSM Servers parameters define the PSM server details:




This parameter specifies the address of the PSM server machine used by passwords associated with the platform that uses this PSM server.


This parameter specifies the port used to access the PSM Server machine used by passwords associated with the platform that uses this PSM server.


These parameters specify the location where the password of the logon account for the PSM Server is stored, and the Object parameter specifies the name of the password.