Discover Domains, Endpoints, and Accounts Using BeyondTrust Vault

With the BeyondTrust Vault add-on, you can discover Active Directory accounts, local accounts, and endpoints. Jumpoints are used to scan endpoints and discover the accounts associated with those endpoints.

To learn more about Jumpoints, please see BeyondTrust Remote Support Jumpoint Guide.

The first step to implementing BeyondTrust Vault into your environment is to use the built-in discovery tool to find these accounts. To initiate a discovery job, follow the steps below.

Initiate a Discovery Job

Screenshot of the /login header highlighting Vault > Discovery.

  1. From the /login interface, go to Vault > Discovery.
  2. Screenshot of the Domain Discovery section in /login.

  3. Choose an existing Jumpoint located within the environment you wish to discover accounts.

  4. The Jumpoint field is required for discovery. The Jumpoint should be the DNS name of a domain controller within the environment you wish to scan.

  5. Select the management account needed to initiate the discovery job. Choose to use a new account, which requires a Username, Password, and Password Confirmation to be entered. Or choose to use an existing account discovered from a previous job or added manually in the Accounts section. Once an account is selected, click Discover.
  6. Screenshot of a browser confirmation message for discovery.

  7. When the confirmation prompt appears asking if you wish to continue, click OK.


Screenshot of a discovery job in progress, tallying the accounts and endpoints found.

The discovery process can take some time. While discovery is in underway, the Discovery Progress screen appears and tracks the number of accounts and endpoints discovered.

Screenshot of the Discovery Results section in /login.

Once the discovery job is complete, a Discovery Results page appears and lists all discovered endpoints, local accounts, and domain accounts.


From the results page, you can switch between the Endpoints, Local Accounts, and Domain Accounts tabs to view the discovered items.

  • Endpoints: Shows the names of the endpoints discovered, as well as a description, if available.
  • Local Accounts: Shows the Username, Endpoint (association), Description, Last Login Date, and Password Age for all discovered local accounts.
  • Domain Accounts: Shows the Username, Distinguished Name, Description, Last Login Date, and Password Age for all discovered domain accounts.

Import Discovered Endpoints and Accounts

You can import endpoints, local accounts, or domain accounts into BeyondTrust Vault for continued management, use, and maintenance.

  1. Choose any of the tabs: Endpoints, Local Accounts, or Domain Accounts.
  2. Screenshot of a list of discovered accound and one account is selected.

  3. Check the box located beside the endpoint or account you wish to import.

  5. Click Import Selected.

  7. The Import Discovered Items section will appear, listing the number of endpoints and accounts selected to be imported. Click Start Import.

Once the import is complete, the endpoint or account becomes available in the Endpoints and Accounts sections.

For imported endpoints, RDP Jump Shortcuts are created with an automatic association to local accounts.

Screenshot of Account section in /login.

For more information, please see Discover Domains, Accounts, and Endpoints.

Add Generic Credentials and SSH Keys

Outside of the discovery process, you can manually add individual credential accounts to BeyondTrust Vault. To add generic accounts, follow the steps below.

Screenshot of the /login header, highlighting Vault > Accounts.

  1. Go to Vault > Accounts.
  2. Click Add New Account.
  3. Complete the information on the Generic Account :: Add page. The required fields are:
    • Name
    • Username
    • Authentication
    • Password

For more information about adding generic accounts, please see Generic Account :: Add.

  1. When finished, click Add Account.

At any point, you can edit the account's information by clicking ... > Edit.