Discover and Import Accounts, Services, and Endpoints Using BeyondTrust Vault

With the BeyondTrust Vault add-on, you can discover Active Directory accounts, local accounts, Windows service accounts, and endpoints. Jumpoints are used to scan endpoints and discover the accounts associated with those endpoints.

BeyondTrust Vault provides a built-in discovery tool to automatically find these accounts, endpoints, and services. Once discovered, results can be imported into your Vault for use.

For more information on Jumpoints, please see the BeyondTrust Privileged Remote Access Jumpoint Guide.

Initiate a Discovery Job for a New Domain

  1. From the /login interface, navigate to Vault > Discovery.
  2. Click New Discovery Job.
  3. Leave the default Windows Domain option selected, and then click Continue.
  4. If a domain doesn't exist in Vault, you are presented with the Add Domain form to add one. If a domain does exist in Vault, you are presented with the option to select a new or existing domain to discover. Select the New Domain option.

Add a Domain for Vault Discovery Job

  1. Enter a valid fully qualified DNS address for the domain you are performing the discovery action on.
  2. Choose an existing Jumpoint located in the environment where you wish to discover accounts.

The Jumpoint field is required for discovery. Enter the DNS name of a domain controller within the environment you wish to scan. Discovery is currently supported on Windows Jumpoints only.

 

  1. Select the Management Account needed to initiate the discovery job. Using a new account requires a Username, Password, and Password Confirmation.You may also use an existing account.

This account is used to connect and perform the discovery of accounts and endpoints in the specified domain. Enter a functional account that has permissions to change and reset passwords.

  1. Click Save and Continue.

Select Scope options for Vault Domain Discovery in /login.

Define the Discovery Scope

  1. Select the types of objects you wish Vault to discover:

    • Domain Accounts
    • Endpoints
    • Local Accounts
    • Services

Discovery of Services is available only if Domain Accounts, Endpoints, and Local Accounts are selected; only Windows service accounts are discovered.

  1. Enter a Search Path, or leave it blank to search all OUs and containers.
  2. Click Browse to refine your search by specifying which OUs to target.
  3. Use the LDAP Query field to narrow the scope of user accounts and endpoints searched.
  4. Once the scope is defined, click Start Discovery.

 

Discovery Progress dialog for discovering domains in /login.

The discovery process can take some time. While discovery is under way, the Discovery Progress screen appears and tracks the number of accounts and endpoints discovered.

 

Import Discovered Endpoints Accounts and Services

The Vault Domain Discovery Results page in /login.

Once the discovery job is complete, a Discovery Results page appears. You can switch between the Endpoints, Local Accounts, Domain Accounts, and Services tabs to view the discovered items and import them. Importing items saves them for later use in your Vault.

  • Endpoints: Shows the Name and Description of the endpoints discovered, as well as their Operating System and Distinguished Name.
  • Local Accounts: Shows the Username, Endpoint (system associated with account), Description, Last Login Date, Password Age, and Status for all discovered local accounts.
  • Domain Accounts: Shows the Username, Distinguished Name, Description, Last Login Date, Password Age, and Status for all discovered domain accounts.
  • Services: Shows the Display Name (Description) (name displayed in Services snap-in), Short Name (name used by Service Controller command line tool, Endpoint (system where service is used) , and Username (account used to run the service) for all discovered service accounts.

Only services that use an account other than a built-in account to run are returned in the discovery results.

  1. Choose any of the tabs: Endpoints, Local Accounts, Domain Accounts, or Services.

Vault Discovery Results page with items selected to import

  1. Select the items you wish to import, and then click Import Selected.

You can filter the list of items based on their attributes using the filter box above the grid. For each tab, click the i next to the filter box to see which attributes can be searched.

 

The Vault Import Discovered Items page

  1. The Import Discovered Items page appears, listing the number of endpoints, accounts, and services selected for import. If importing endpoints and services, select a Jump Group from the list or select the Do not create Jump Item option. If importing accounts, select an Account Group from the list.
  2. Click Start Import.

 

The Vault Importing page indicating the status of the import once it is complete.

  1. A status page appears, indicating the import completed successfully, and lists the number of endpoints, accounts, and services imported. You can click the links to view the specific items that were imported. Click Done Importing to close the status page.

 

Upon successful import, the accounts, endpoints, and services are listed in the grids on the Accounts, Endpoints, and Services pages in /login > Vault.

The Vault Accounts page with Service Accounts listed

On the Accounts page, the endpoints associated with the shared accounts are indicated for each account, and if the account is used to run a Windows service, this is indicated in the Status column.

 

The Vault Endpoints page.

On the Endpoints page, the number of accounts, Jump Items, and services associated with each endpoint is indicated. You can view the specific associated accounts, Jump Items, and services by clicking the links.

For imported endpoints, RDP Jump shortcuts are created with an automatic association to local accounts.

Click the Select visible columns button above the grid to customize the columns displayed in the grid.

 

Associate Existing Remote RDP Jump Shortcuts

Non-domain linked endpoints can be associated with RDP items for improved security and user experience. To create the association, click Jump Items on the Endpoints screen. Then click Add and select Add Remote RDP Jump Shortcut or Associate Existing RDP Jump Shortcuts.

 

Click the RDP shortcut or shortcuts to associate with the Jump Client.

If associating an existing shortcut, click the shortcut(s) to add, and then click Associate Selected.

 

The Vault Services page.

On the Services page, the endpoints and accounts associated with each service are indicated, as well as the last status of the service. Also, from the Services page, you have the option to restart the service upon rotation of the service account by checking the Restart box for the service.

 

Initiate a Discovery Job for an Existing Domain

Discovery jobs can be initiated on domains that have already been added or imported to BeyondTrust Vault. From /login, you can initiate a discovery job from the Vault > Domains page and also from the Vault > Discovery page. Both methods are documented below.

From Vault > Domains Page

The Vault > Domains page in /login highlighting the Discover button.

  1. Click the Discover button for the domain.
  2. Define the scope of the discovery, and then click Start Discovery.
  3. Select the items to import from the discovery results and start the import.

From Vault > Discovery Page

  1. Click New Discovery Job.
  2. Leave the default Windows Domain option selected, and then click Continue.
  3. Select Existing Domain.
  4. Select the domain from the dropdown list.
  5. Click Continue with Existing Domain.
  6. Define the scope of the discovery, and then click Start Discovery.
  7. Select the items to import from the discovery results and start the import.

Discovery and Rotation of Vault Accounts — Port Requirements

Active Directory:

  • Port 389
  • Port 636

Local Account Management:

  • Port 445

Schedule Discovery Jobs

Schedule Discovery Job for a New Domain

  1. From the /login interface, navigate to Vault > Domains.
  2. Click Add.
  3. Follow the same steps as detailed above for initiating a discovery job for a new domain, but also set the Scheduled Domain Discovery settings.
  4. Click Save. The discovery job runs on the days and time you specify.
  5. To import items discovered from scheduled jobs:
    • Navigate to Vault > Discovery.
    • Locate the completed scheduled job. (Scheduled jobs are indicated as being performed by System.)
    • Click View Results for the completed job.
    • Import selected items.

Schedule a Discovery Job for an Existing Domain

  1. From the /login interface, navigate to Vault > Domains.
  2. Click the Edit button (pencil icon) for a listed domain.
  3. Scroll down to the Scheduled Domain Discovery section and check Enable Schedule Delivery.
  4. Select the days and time for the schedule.
  5. Define the Discovery Scope, and then click Save.
The process for defining the discovery scope, viewing the results, and importing the discovered items is the same for all methods of discovery described in the above sections.

For more information, please see the following: