Scan for accounts using Account Discovery

This topic presents the account discovery capability which scans your domain machines to discover privileged accounts and their dependencies in your organization. Discovered accounts are displayed for analysis in the Privilege Cloud Portal or by running dedicated REST APIs. You then decide which accounts should be securely managed by Privilege Cloud and add them to the system - this process is called onboarding.

This topic explains how to configure Account Discovery scans, review discovered accounts, and onboard them.

What accounts can you discover?

Account Discovery discovers the following types of accounts:

  • Windows domain and local accounts

  • Unix local accounts and SSH Keys

  • MacOS accounts from within the Administrators/root groups

These accounts are grouped into two categories:

  • Pending accounts. Pending accounts are privileged accounts in your organization, which you may want to secure by applying a privileged access policy based on password or key. Scan mechanisms provide a list of potential pending accounts, allowing you to review and analyze them, and then decide whether to onboard them to Privilege Cloud, or discard them from the list.

  • Account dependencies. Account dependencies provide additional information related to the discovered accounts and indicate additional locations where an account's secrets should be changed, for example, a Windows service, or a Windows scheduled task. Account dependencies should be taken into consideration and handled when onboarding new accounts.

How Accounts Discovery works

Accounts are discovered using the following complementary mechanisms:

Windows and Unix machines (using CPM Scanner)

The CPM Scanner service scans Windows and Unix machines for new and modified accounts and their dependencies. The discovered accounts are displayed in the Pending Accounts feed for review. You can then decide to onboard, disregard, or delete each discovered account.

  • Scanned machines. The account scan runs according to a defined source such as your organization's Active Directory or a CSV file.

Account Discovery of local Windows and MacOS accounts (using EPM Endpoint agent data collection)

The Account Discovery service scans network endpoints to discover unmanaged local Windows and MacOS accounts. Discovered accounts are displayed in the Discovered Accounts feed for review. You can then decide to onboard a discovered account, delete it, or disregard it.

  • Supported machines. The Account Discovery service supports Windows and MacOS machines, and does not currently support Unix machines.

  • CyberArk EPM is required. The Account discovery service requires CyberArk EPM, which automatically collects discovered local accounts from endpoints, including loosely connected devices. If you do not have CyberArk EPM or want to learn more, contact your account manager or CyberArk Support.

  • Setup and configuration. See Set up the Account Discovery service.

  • Discover and manage local accounts on Windows and MacOS endpoints.

The Accounts Discovery process

Onboarding accounts is a continuous process, where each account goes through three steps:

Step 1: Run Discovery

Scan your environment to discover accounts that require privileged access.

The following scan options apply to the CPM Scanner mechanism only. The Accounts Discovery service, based on CyberArk's EPM, scans the local endpoints automatically.

  • Manual vs. scheduled scans. You can run scans once or schedule recurring scans. Recurring scans update pending accounts and the account dependencies.
  • Automatic update of dependencies. When a new dependency is discovered, it is added to the pending account dependencies. If the account is already onboarded, newly detected dependencies are automatically onboarded as well.

  • Running account discovery on remote Unix machines. Some organizations block privileged access to remote Unix machines. In this case, a dedicated logon account with permission to logon remotely is required to log on to the remote machine. After this logon account has authenticated to the remote machine, the privileged user can run discoveries. In these environments, before creating discoveries, associate a logon account to the account that will be used to run discoveries on remote Unix machines. For more information about creating and associating logon accounts, see Create linked accounts.

Step 2: Analyze

The results of the scan are placed in a queue in the Pending Accounts list. Review the Pending Accounts list, assess the risk of each account, and select which accounts to onboard, and which are no longer needed and can be deleted.

Step 3: Onboard

Onboard accounts and assign them to a Safe and platform. You can also use onboarding rules to automatically assign accounts to Safes as soon as they are discovered.

In this section: