Discover and Import Domain Endpoints and Accounts Using BeyondTrust Vault
With the BeyondTrust Vault add-on, you can discover Active Directory accounts, local accounts, and endpoints. Jumpoints are used to scan endpoints and discover the accounts associated with those endpoints.
To learn more about Jumpoints, please see BeyondTrust Remote Support Jumpoint Guide.
The first step to implementing BeyondTrust Vault into your environment is to use the built-in discovery tool to find these accounts. To initiate a discovery job, follow the steps below.
Initiate a Discovery Job
- From the /login interface, go to Vault > Discovery.
- Click New Discovery Job.
- Select the type of discovery you wish to run: Windows Domain or Local Windows Accounts on Jump Clients.
- Click Continue.
- Enter a valid fully qualified DNS name for the domain you are performing the discovery action on.
Choose an existing Jumpoint located within the environment you wish to discover accounts.
The Jumpoint field is required for discovery. The Jumpoint should be the DNS name of domain controller within the environment you wish to scan. Discovery is currently supported on Windows Jumpoints only.
- Select the Management Account needed to initiate the discovery job. Choose to use a new account, which requires a Username, Password, and Password Confirmation. Or choose to use an existing account discovered from a previous job or added manually in the Accounts section.
This account is used to connect and perform the discovery of accounts and endpoints in the specified domain. It should be a functional account that has permissions to change and reset passwords.
- Click Save and Continue.
- Select the account types you wish Vault to discover: Domain Accounts or Endpoints.
- Enter a Search Path, or leave it blank to search all OUs and containers.
- Click Browse if you want to refine your search by specifying which OUs to target.
- Use the LDAP Query field if you want to narrow the scope of user accounts and endpoints searched.
- Once the scope is defined, click Start Discorvery.
The discovery process can take some time. While discovery is underway, the Discovery Progress screen appears and tracks the number of accounts and endpoints discovered.
Once the discovery job is complete, a Discovery Results page appears and lists all discovered endpoints, local accounts, and domain accounts.
From the results page, you can switch between the Endpoints, Local Accounts, and Domain Accounts tabs to view the discovered items.
- Endpoints: Shows the names of the endpoints discovered, as well as a description, if available.
- Local Accounts: Shows the Username, Endpoint (association), Description, Last Login Date, and Password Age for all discovered local accounts.
- Domain Accounts: Shows the Username, Distinguished Name, Description, Last Login Date, and Password Age for all discovered domain accounts.
Import Discovered Endpoints and Accounts
You can import endpoints, local accounts, or domain accounts into BeyondTrust Vault for continued management, use, and maintenance.
- Choose any of the tabs: Endpoints, Local Accounts, or Domain Accounts.
- Check the box located beside the endpoint or account you wish to import.
- Click Import Selected.
- The Import Discovered Items section appears, listing the number of endpoints and accounts selected for import. If importing endpoints, select a Jump Group from the list or select the Do not create Jump Item option. If importing accounts, select an Account Group from the list.
- Click Start Import.
Once the import is complete, the endpoint or account becomes available in the Endpoints and Accounts sections.
For imported endpoints, RDP Jump Shortcuts are created with an automatic association to local accounts.
For more information, please see Discover Domains, Accounts, and Endpoints.