Error: You can only delete an application resource or account domain when it is not being referenced in the password or shared key checkouts.

  • 7022841
  • 11-Apr-2018
  • 19-Dec-2019


Privileged Account Manager 3.7
Privileged Account Manager 3.6
Privileged Account Manager 3.5
Privileged Account Manager 3.2


An existing password checkout request fails to check back in preventing deletion of the account domain from the crdvlt
Trying to delete an Application Resource or Application Account Domain that has previously been used for Password Checkout from the Privileged Credential Vault (crdvlt) results in the following error dialog from the browser:

Please try again. Error Message: You can only delete an account domain when it is not being referenced in the password or shared key checkouts.


A credential has been actively checked out and has not yet been checked in successfully. Please refer to the DEBUG unifid.log for more details on the reason for this failure. Once all pending credentials have been checked back in, then deletion will be permitted by the credential vault for this account domain.

If it's not possible to successfully check-in the password or the desire is to just simply clear the pending check-ins, it should be possible for the failing request to be checked in once reconfigured so the Password Change (Check In) is switched to "Never" :

  1. Edit the Resource in the Vault and set the "Password Change (Check In)" to Never.
  2. Check in the password for the resource. Check-in will be successful as there is no script executed to change the password in the target application.
Otherwise, it may be possible to remove the pending checkin manually from the database. Please contact Support by creating a Service Request using the Customer Center for further help addressing this issue. For more details, please refer to the Technical Support Handbook.


An Application Resource or Account Domain is not able to be deleted when there is an actively checked out credential.