Discovery: Discover Accounts, Endpoints, and Services in a Domain

Vault

Discovery

BeyondTrust Vault is an on-appliance credential store, enabling discovery of and access to privileged credentials. You can manually add privileged credentials, or you can use the built-in discovery tool to scan and import Active Directory and local accounts into BeyondTrust Vault.

For more information, please see BeyondTrust Vault Technical Whitepaper.

Discovery: Windows Domain

With the BeyondTrust Vault add-on, you can discover Active Directory accounts, local accounts, Windows service accounts, and endpoints. Jumpoints are used to scan endpoints and discover the accounts associated with those endpoints.

Click New Discovery Job to initiate a discovery. The options are:

  • Windows Domain: Discover endpoints, domain accounts, and local accounts accessible from a Jumpoint on a Windows domain.
  • Local Windows Accounts on Jump Clients: Discover local Windows accounts on machines where an active, service mode Jump Client is currently online.

The Local Windows Accounts on Jump Clients option only displays if you have the Jump Clients permission located in Users & Security > Users > Access Permissions > Jump Technology. If you have any issues, contact your site administrator.

Click Continue to start the discovery process.

If you selected Windows Domain, follow the steps in the Add Domain section. If you selected Local Windows Accounts on Jump Clients, follow the steps in the Discovery: Jump Client Search Criteria.

For more information on Jumpoints, please see the BeyondTrust Privileged Remote Access Jumpoint Guide.

Add Domain

DNS Name of the Domain

Enter the DNS name for your environment.

Jumpoint

Choose an existing Jumpoint located in the environment where you wish to discover accounts.

Management Account

Select the management account needed to initiate the discovery job. Choose to use a new account, which requires a Username, Password, and Password Confirmation to be entered. Or, choose to use an existing account discovered from a previous job or added manually in the Accounts section.

Username

Enter a valid username to use for discovery (username@domain).

Password

Enter a valid a password to user for discovery.

Confirm Password

Re-enter the password to confirm.

You can define which parts of a domain to run a Discovery/Import job. Once you select the required fields for a Discovery Job, you can refine the search by specifying which OU’s to target or entering LDAP queries.

Discovery Scope

Select the objects you wish Vault to discover:

  • Domain Accounts
  • Endpoints
  • Local Accounts
  • Services

You can enter a Search Path, or leave it blank to search all OUs and containers. You can also use an LDAP Query to narrow the scope of user accounts and endpoints searched.

Discovery: Jump Client Search Criteria

Enter one or more search criteria to find active Jump Clients you'd like to use to discover local Windows accounts. All text field searches are partial and case-insensitive. Jump Clients that match all the search criteria will be displayed on the next page for you to select before discovery begins.

The following types of Jump Clients cannot be used for local account discovery and will not be included in the search results:
  • Jump Clients that are currently offline or disabled
  • Jump Clients that are not running as an elevated service
  • Jump Clients that are installed in a domain controller

Jump Groups

Administrators can search for Jump Clients via their Jump Groups and their attributes. If the user is not a member of any Jump Group, the Jump Groups selection section is grayed out and either a tool tip or note is shown indicating that user must be a member of at least one Jump Group to proceed with the Jump Client discovery process. This is similar to how domain discovery works when a user is not a member of a Jumpoint during discovery or not a member of a Jump Group when importing an endpoint.

You can search All of Your shared Jump Groups or Specific Jump Groups.

Jump Client Attributes

You can select one or more shared Jump Groups. Private Jump Groups are not supported.

One or more Jump Client attributes can be entered. If more than one search criteria is entered, only Jump Clients matching all criteria are used for discovery.

The following attributes can be used as search criteria:

  • Name: The Jump Client's name as it appears in the Name column in the access console.
  • Hostname: The Jump Client's hostname as it appears in the Hostname/IP column of the access console.
  • FQDN: The Jump Client's fully qualified domain name, as it appears under the FQDN label of the Jump Client details pane in the access console.
  • Tag: The Jump Client's tag as it appears in the Tag column of the Representative Console.
  • Public/Private IP: The Jump Client's public and private IP addresses, as they appear under the Public IP label of the Jump Client details pane in the access console. Jump Clients whose IP address starts with the given search value will match.

Click Continue to initiate the discovery.

Discovery: Select Jump Clients

This screen displays the Jump Clients that will be used in discovery. Select one or more and click Start Discovery.

Discovery Results

The results display a list of discovered Endpoints and Local Accounts. Select one or more and click Import Select.

Import Discovered Items

A list of the selections you made displays.

Account Group

Select from which account group you want to import, then click Start Import. A warning display indicating this process cannot be stopped once it has started. Click Yes to proceed, or No to abort.

Importing

A message displays indicating the import was completed successfully. A list of Endpoints and Local Accounts displays.

Accounts

Search Shared/Personal Accounts

If you get an extensive list of accounts discovered, use the Search field to search accounts by Name, Endpoint, or Description (by Name and Description only for personal accounts).

Toggle between Shared and Personal accounts. Select one or more accounts. Click ... to Rotate Password, Edit or Delete the account. You can also click Rotate at the top of the page to rotate the password for the select accounts.

Discovery Jobs

View discovery jobs that are in progress for a specific domain, or review the results of successful and failed discovery jobs.

View Results

Click View Results for a discovery job to view the Discovery Results, which includes discovered endpoints, local accounts, domain accounts, and services found in the domain.

You can filter the list of items based on their attributes using the filter box above the grid. For each tab, click the i next to the filter box to see which attributes can be searched.

Select which endpoints, accounts, and services to import and store in your BeyondTrust Vault instance. For each list item you wish to import, check the box beside it and click Import Selected.

For more information, please see Discover Domains, Endpoints, and Privileged Accounts Using BeyondTrust Vault.