Discover and Import Domain Endpoints and Accounts Using BeyondTrust Vault

With the BeyondTrust Vault add-on, you can discover Active Directory accounts, local accounts, and endpoints. Jumpoints are used to scan endpoints and discover the accounts associated with those endpoints.

To learn more about Jumpoints, please see the BeyondTrust Privileged Remote Access Jumpoint Guide.

The first step to implement BeyondTrust Vault in your environment is to use the built-in discovery tool to find accounts. To initiate a discovery job, follow the steps below.

Initiate a Domain Discovery Job

  1. From the /login interface, go to Vault > Discovery.
  2. Click New Discovery Job.
  3. Leave the default Windows Domain option selected, and then click Continue.
  4. Screenshot of the Vault > Discovery Add Domain screen in Privileged Remote Access /login.

  5. Enter a valid fully qualified DNS name for the domain you are performing the discovery action on.
  6. Choose an existing Jumpoint located in the environment where you wish to discover accounts.

The Jumpoint field is required for discovery. The Jumpoint should be the DNS name of a domain controller within the environment you wish to scan. Discovery is currently supported on Windows Jumpoints only.

  1. Select the Management Account needed to start the discovery job. Choose to use a new account, which requires a Username, Password, and Password Confirmation. Or choose to use an existing account discovered from a previous job or added manually in the Accounts section.

This account is used to connect and perform the discovery of accounts and endpoints in the specified domain. It should be a functional account that has permissions to change and reset passwords.

  1. Click Save and Continue.

 

Select Scope options for Vault Domain Discovery in /login.

  1. Select the account types you wish Vault to discover: Domain Accounts, Endpoints, and Local Accounts.
  2. Enter a Search Path, or leave it blank to search all OUs and containers.
  3. Click Browse if you want to refine your search by specifying which OUs to target.
  4. Use the LDAP Query field if you want to narrow the scope of user accounts and endpoints searched.
  5. Once the scope is defined, click Start Discovery.

 

Screenshot of the Discovery Progress dialog for discovering domains in /login.

The discovery process can take some time. While discovery is underway, the Discovery Progress screen appears and tracks the number of accounts and endpoints discovered.

 

Screenshot of the Vault Domain Discovery Results page in /login.

Once the discovery job is done, a Discovery Results page appears. You can switch between the Endpoints, Local Accounts, and Domain Accounts tabs to view the discovered items.

  • Endpoints: Shows the names of the endpoints discovered, as well as a description, if available.
  • Local Accounts: Shows the Username, Endpoint (association), Description, Last Login Date, and Password Age for all discovered local accounts.
  • Domain Accounts: Shows the Username, Distinguished Name, Description, Last Login Date, and Password Age for all discovered domain accounts.

Import Discovered Endpoints and Accounts

You can import endpoints, local accounts, or domain accounts into Vault for continued management, use, and maintenance.

  1. Choose any of the tabs: Endpoints, Local Accounts, or Domain Accounts.
  2. Vault Domain Discovery Results Page

  3. Check the box located by the endpoint or account you wish to import.
  4. Click Import Selected.

 

Import Discovered Items into the Vault

  1. The Import Discovered Items page appears, listing the number of endpoints and accounts selected for import. If importing endpoints, select a Jump Group from the list or select the Do not create Jump Item option. If importing accounts, select an Account Group from the list.
  2. Click Start Import.

 

Once the import is complete, the endpoint or account becomes available in the Endpoints and Accounts sections.

For imported endpoints, RDP Jump Shortcuts are created with an automatic association to local accounts.

For more information, please see Discover Domains, Accounts, and Endpoints.