Discover Domains, Endpoints, and Accounts Using BeyondTrust Vault

With the BeyondTrust Vault add-on, you can discover Active Directory accounts, local accounts, and endpoints. Jumpoints are used to scan endpoints and discover the accounts associated with those endpoints.

To learn more about Jumpoints, please see BeyondTrust Privileged Remote Access Jumpoint Guide.

The first step to implement BeyondTrust Vault in your environment is to use the built-in discovery tool to find accounts. To initiate a discovery job, follow the steps below.

Initiate a Discovery Job

Screenshot of the BeyondTrust PRA /login header navigation highlighting Vault > Discovery.

  1. From the /login interface, go to Vault > Discovery.
  2. Screenshot of the /login section Domain Discovery.

  3. Choose an existing Jumpoint located in the environment where you wish to discover accounts.

The Jumpoint field is required for discovery. The Jumpoint should be the DNS name of a domain controller within the environment you wish to scan.

  1. Select the management account needed to start the discovery job. Choose to use a new account, which requires a Username, Password, and Password Confirmation. Or choose to use an existing account discovered from a previous job or added manually in the Accounts section. Then, select what account types you wish Vault to discover. Once the scope is defined, click Discover.
  2. When the confirmation prompt appears asking if you wish to continue, click OK.


Screenshot of the Discovery Progress dialog in /login.

The discovery process can take some time. While discovery is underway, the Discovery Progress screen appears and tracks the number of accounts and endpoints discovered.

Screenshot of the Discovery Results section in /login.

Once the discovery job is done, a Discovery Results page appears. You can switch between the Endpoints, Local Accounts, and Domain Accounts tabs to view the discovered items.

  • Endpoints: Shows the names of the endpoints discovered, as well as a description, if available.
  • Local Accounts: Shows the Username, Endpoint (association), Description, Last Login Date, and Password Age for all discovered local accounts.
  • Domain Accounts: Shows the Username, Distinguished Name, Description, Last Login Date, and Password Age for all discovered domain accounts.

Import Discovered Endpoints and Accounts

You can import endpoints, local accounts, or domain accounts into Vault for continued management, use, and maintenance.

  1. Choose any of the tabs: Endpoints, Local Accounts, or Domain Accounts.
  2. Check the box located by the endpoint or account you wish to import.

  4. Click Import Selected.

  6. The Import Discovered Items sectionl appears, listing the number of endpoints and accounts selected for imported. Click Start Import.

Once the import is complete, the endpoint or account becomes available in the Endpoints and Accounts sections.

For imported endpoints, RDP Jump Shortcuts are created with an automatic association to local accounts.

For more information, please see Discover Domains, Accounts, and Endpoints.

Add Generic Credentials and SSH Keys

Outside of the discovery process, you can manually add individual credential accounts to BeyondTrust Vault. To add generic accounts, follow the steps below.

Screenshot of the /login header navigation highlighting Vault > Accounts.

  1. Go to Vault > Accounts.
  2. Click Add New Account.
  3. Complete the information on the Generic Account :: Add page. The required fields are:
    • Name
    • Username
    • Authentication
    • Password

For more information about adding generic accounts, please see Generic Account :: Add.

  1. When finished, click Add Account.

At any point, you can edit the account's information by clicking ... > Edit.