Scan for accounts using Account Discovery

This topic presents the account discovery capability which scans your domain machines to discover privileged accounts and their dependencies in your organization. Discovered accounts are displayed for analysis in the Privilege Cloud Portal or by running dedicated REST APIs. You then decide which accounts should be securely managed by Privilege Cloud and add them to the system - this process is called onboarding.

This topic explains how to configure Account Discovery scans, review discovered accounts, and onboard them.

What accounts can you discover?

Account Discovery discovers the following types of accounts:

  • Windows domain and local accounts

  • Unix local accounts and SSH Keys

  • MacOS accounts from within the Administrators/root groups

These accounts are grouped into two categories:

  • Pending accounts. Pending accounts are privileged accounts in your organization, which you may want to secure by applying a privileged access policy based on password or key. Scan mechanisms provide a list of potential pending accounts, allowing you to review and analyze them, and then decide whether to onboard them to Privilege Cloud, or discard them from the list.

  • Account dependencies. Account dependencies provide additional information related to the discovered accounts and indicate additional locations where an account's secrets should be changed, for example, a Windows service, or a Windows scheduled task. Account dependencies should be taken into consideration and handled when onboarding new accounts.

How Accounts Discovery works

The CPM Scanner service scans Windows and Unix machines for new and modified accounts and their dependencies. The discovered accounts are displayed in the Pending Accounts feed for review. You can then decide to onboard, disregard, or delete each discovered account.

  • Scanned machines. The account scan runs according to a defined source such as your organization's Active Directory or a CSV file.

The Accounts Discovery process

Onboarding accounts is a continuous process, where each account goes through three steps:

Step 1: Run Discovery

Scan your environment to discover accounts that require privileged access.

  • Manual vs. scheduled scans. You can run scans once or schedule recurring scans. Recurring scans update pending accounts and the account dependencies.
  • Automatic update of dependencies. When a new dependency is discovered, it is added to the pending account dependencies. If the account is already onboarded, newly detected dependencies are automatically onboarded as well.

  • Running account discovery on remote Unix machines. Some organizations block privileged access to remote Unix machines. In this case, a dedicated logon account with permission to logon remotely is required to log on to the remote machine. After this logon account has authenticated to the remote machine, the privileged user can run discoveries. In these environments, before creating discoveries, associate a logon account to the account that will be used to run discoveries on remote Unix machines. For more information about creating and associating logon accounts, see Create linked accounts.

Step 2: Analyze

The results of the scan are placed in a queue in the Pending Accounts list. Review the Pending Accounts list, assess the risk of each account, and select which accounts to onboard, and which are no longer needed and can be deleted.

Step 3: Onboard

Onboard accounts and assign them to a Safe and platform. You can also use onboarding rules to automatically assign accounts to Safes as soon as they are discovered.