Discover and Import Accounts, Services, and Endpoints Using BeyondTrust Vault

With the BeyondTrust Vault add-on, you can discover Active Directory accounts, local accounts, Windows service accounts, and endpoints. Jumpoints are used to scan endpoints and discover the accounts associated with those endpoints.

The first step to implement BeyondTrust Vault in your environment is to use the built-in discovery tool to find accounts in Windows domains. To initiate a discovery job, follow the steps below.

For more information on Jumpoints, please see the BeyondTrust Privileged Remote Access Jumpoint Guide.

Initiate a Discovery Job for a New Domain

  1. From the /login interface, navigate to Vault > Discovery.
  2. Click New Discovery Job.
  3. Leave the default Windows Domain option selected, and then click Continue.
  4. If a domain doesn't exist in Vault, you are presented with the Add Domain form to add one. If a domain does exist in Vault, you are presented with the option to select a new or existing domain to discover. Select the New Domain option.

Add a Domain for Vault Discovery Job

  1. Complete the form as follows:
    • Enter a valid fully qualified DNS name for the domain you are performing the discovery action on.
    • Choose an existing Jumpoint located in the environment where you wish to discover accounts.

The Jumpoint field is required for discovery. Enter the DNS name of a domain controller within the environment you wish to scan. Discovery is currently supported on Windows Jumpoints only.

    • Select the Management Account needed to start the discovery job. Use a new account, which requires a Username, Password, and Password Confirmation. Or use an existing account discovered from a previous job or added manually in the Accounts section.

This account is used to connect and perform the discovery of accounts and endpoints in the specified domain. Enter a functional account that has permissions to change and reset passwords.

  1. Click Save and Continue.

 

Select Scope options for Vault Domain Discovery in /login.

Define the Discovery Scope

  1. Select the types of objects you wish Vault to discover:

    • Domain Accounts
    • Endpoints
    • Local Accounts
    • Services

Discovery of Services is available only if Domain Accounts, Endpoints, and Local Accounts are selected, only Windows service accounts are discovered.

  1. Enter a Search Path, or leave it blank to search all OUs and containers.
  2. Click Browse to refine your search by specifying which OUs to target.
  3. Use the LDAP Query field to narrow the scope of user accounts and endpoints searched.
  4. Once the scope is defined, click Start Discovery.

 

Screenshot of the Discovery Progress dialog for discovering domains in /login.

The discovery process can take some time. While discovery is under way, the Discovery Progress screen appears and tracks the number of accounts and endpoints discovered.

 

Import Discovered Endpoints Accounts and Services

Screenshot of the Vault Domain Discovery Results page in /login.

Once the discovery job is complete, a Discovery Results page appears. You can switch between the Endpoints, Local Accounts, Domain Accounts, and Services tabs to view the discovered items and import them.

  • Endpoints: Shows the Name and Description of the endpoints discovered, as well as their Operating System and Distinguished Name.
  • Local Accounts: Shows the Username, Endpoint (system associated with account), Description, Last Login Date, Password Age, and Status for all discovered local accounts.
  • Domain Accounts: Shows the Username, Distinguished Name, Description, Last Login Date, Password Age, and Status for all discovered domain accounts.
  • Services: Shows the Display Name (Description) (name displayed in Services snap-in), Short Name (name used by Service Controller command line tool, Endpoint (system where service is used) , and Username (account used to run the service) for all discovered service accounts.

Only services that use an account other than a built-in account to run are returned in the discovery results.

  1. Choose any of the tabs: Endpoints, Local Accounts, Domain Accounts, or Services.
  2. Screenshot of Vault Discovery Results page with items selected to import

  3. Select the items you wish to import, and then click Import Selected.

You can filter the list of items based on their attributes using the filter box above the grid. For each tab, click the i next to the filter box to see which attributes can be searched.

 

Screenshot of the Vault Import Discovered Items page

  1. The Import Discovered Items page appears, listing the number of endpoints, accounts, and services selected for import. If importing endpoints and services, select a Jump Group from the list or select the Do not create Jump Item option. If importing accounts, select an Account Group from the list.
  2. Click Start Import.

 

Screenshot of the Vault Importing page indicating the status of the import once it is complete.

  1. A status page appears, indicating the import completed successfully, and lists the number of endpoints, accounts, and services imported. You can click the links to view the specific items that were imported.Click Done Importing to close the status page.

 

Upon successful import, the accounts, endpoints, and services are listed in the grids on the Accounts, Endpoints, and Services pages in /login > Vault.

Screenshot of Vault Accounts page with Service Accounts listed

On the Accounts page, the endpoints associated with the shared accounts are indicated for each account, and if the account is used to run a Windows service, this is indicated in the Status column.

 

Screenshot of the Vault Endpoints page.

On the Endpoints page, the number of accounts, Jump Items, and services associated with each endpoint is indicated. You can view the specific associated accounts, Jump Items, and services by clicking the links.

For imported endpoints, RDP Jump shortcuts are created with an automatic association to local accounts.

Click the Select visible columns button above the grid to customize the columns displayed in the grid.

 

Screenshot of the Vault Services page.

On the Services page, the endpoints and accounts associated with each service are indicated, as well as the last status of the service. Also, from the Services page, you have the option to restart the service upon rotation of the service account by checking the Restart box for the service.

 

Initiate a Discovery Job for an Existing Domain

From /login, you can initiate a discovery job from the Vault > Domains page and also from the Vault > Discovery page. Both methods are documented below.

From Vault > Domains Page

Screenshot of Vault > Domains page in /login highlighting the Discover button.

  1. Click the Discover button for the domain.

 

  1. Define the scope of the discovery, and then click Start Discovery.
  2. Select the items to import from the discovery results and start the import.

From Vault > Discovery Page

  1. Click New Discovery Job.
  2. Leave the default Windows Domain option selected, and then click Continue.

Screenshot of initiaing a Vauit Domain Discovery job for an existing domain in /login.

  1. Select Existing Domain.
  2. Select the domain from the dropdown list.
  3. Click Continue with Existing Domain.

 

  1. Define the scope of the discovery, and then click Start Discovery.
  2. Select the items to import from the discovery results and start the import.

Schedule Discovery Jobs

Schedule Discovery Job for a New Domain

  1. From the /login interface, navigate to Vault > Domains.
  2. Click Add.
  3. Follow the same steps as detailed above for initiating a discovery job for a new domain, but also set the Scheduled Domain Discovery settings.
  4. Click Save. The discovery job runs on the days and time you specify.
  5. To import items discovered from scheduled jobs:
    • Navigate to Vault > Discovery.
    • Locate the completed scheduled job. (Scheduled jobs are indicated as being performed by System.)
    • Click View Results for the completed job.
    • Import selected items.

Schedule a Discovery Job for an Existing Domain

  1. From the /login interface, navigate to Vault > Domains.
  2. Click the Edit button (pencil icon) for a listed domain.
  3. Scroll down to the Scheduled Domain Discovery section and check Enable Schedule Delivery.
  4. Select the days and time for the schedule.
  5. Define the Discovery Scope, and then click Save.
The process for defining the discovery scope, viewing the results, and importing the discovered items is the same for all methods of discovery described in the above sections.

For more information, please see the following: