Scan for accounts using Accounts Discovery

Use the accounts discovery capability to scan your machines according to a defined source, such as Active Directory or a CSV file, to discover privileged accounts in your organization and their dependencies.

Provisioning accounts is a continuous process, where each account goes through three steps:

Step 1: Discovery. Scan your environment to discover accounts. For details, see Run a discovery scan

Step 2: Analyze. The results of the scan are placed in a queue in the pending accounts list. Review the pending accounts list and determine which account is no longer needed and can be deleted, assess the risk of each account, and select which accounts to provision. For details, see Analyze pending accounts.

Step 3: Provision. Provision accounts and assign them to a Safe and platform. You can also use onboarding rules to put the accounts into Safes as soon as they are discovered. For details, see Onboard accounts.

Accounts discovery is done using the CPM Scanner, a service installed during CPM installation. To configure the scanner, see Configure the CPM Scanner.

Run a discovery scan

Discovery processes scan machines for new and modified accounts and their dependencies. The discovered accounts are displayed in the accounts feed accounts for review.

You can run scans once or schedule recurring scans. Recurring scans update pending accounts and account dependencies. If a new dependency was discovered, the pending account dependencies are updated with this new dependency. If the account was already provisioned, newly detected dependencies are automatically provisioned as well. For details, see Onboarding account dependencies .

In organizations where privileged access is not permitted to remote Unix machines, a logon account that only has permission to logon remotely is required to log on to the remote machine. After this logon account has authenticated to the remote machine, the privileged user can run discoveries. In these environments, before creating discoveries, associate a logon account to the account that will be used to run discoveries on remote Unix machines. For more information about creating and associating logon accounts, see Create linked accounts.

To run a scan, you must have the required permissions. For details, see Permissions required for running a scan.

  • You can stop discovery scans before they complete.
  • You can delete discovery scans once they are finished.

After you perform a discovery scan, Analyze pending accounts.

Onboarding account dependencies

Account dependencies can be discovered for accounts in the pending list or for accounts that exist in Privilege Cloud.

You can discover account dependencies by running the discovery process or by using the Add discovered accounts API.

Newly discovered dependencies for pending accounts are reflected in the pending list by updating the counter of the account dependencies.

Newly discovered dependencies for accounts that already exist in Privilege Cloud could potentially be non-legitimate or malicious. Therefore, we recommend that you review and approve each newly discovered dependency, to prevent such dependencies from being automatically managed by the system. When new dependencies associated with an existing domain account are discovered, they are automatically onboarded, and the account is disabled for automatic CPM management.

Analyze pending accounts

After you run a scan, analyze the pending accounts and SSH keys list for onboarding.

To analyze pending accounts:

  1. In the Privilege Cloud Portal, click Accounts > Pending & Discovery, and then click Pending Accounts.

    The grid displays pending accounts discovered by scans and external scanners using the AddPendingAccounts Web Service.

  2. Use the filters in the left pane to filter the accounts in the grid, and use the column headers to sort the accounts for an easier review process.
  3. Click the account in the grid to display the Account Preview pane, which includes additional information to that displayed in the grid.
  4. After you decide which account you want to onboard, proceed to Onboard accounts.

Onboard accounts

You can onboard accounts and SSH keys that are displayed in the Pending Accounts page so that you can manage them automatically.

If an account contains dependencies, the dependencies are automatically onboarded with the account. A newly discovered dependency could potentially be non-legitimate or malicious. Therefore it is recommended to review and approve each newly discovered dependency to prevent such dependencies from being onboarded automatically by the system. When a discovery finds new dependencies associated with a domain account that was previously onboarded or already exists in the system, by default, the dependencies will automatically be onboarded and the account will be disabled for automatic CPM management.

When onboarding multiple accounts that share the same SSH key, the private SSH key will only be associated with one account. After onboarding, associate all these accounts with the same group so that they can all use the same SSH key.

To onboard accounts:

  1. In Privilege Cloud Portal, click Accounts Pending & Discovery.
  2. on the Pending Accounts page, select the accounts, and then click Onboard Accounts.

    If you select multiple accounts, make sure that they are all associated with the same platform.

  3. In Store in Safe, select a safe or create a new one. To create a safe, see Add a new Safe.


    For a safe to display in the list you must:

    • Be a member of the safe
    • Have the Add accounts permission

    Internal safes are not displayed.

  4. From the Assign Platform drop-down list, select the platform.

  5. In the Password section, select one of the following:

    Automatically reconcile password

    The passwords are reconciled automatically after they have been onboarded.

    This option is only enabled for platforms that are configured for account reconciliation.

    Set a default password

    Specify the password that will be set in the selected accounts, and then confirm it.

    This sets the passwords for the accounts in Privilege Cloud, it does not reset actual passwords on target systems. For more information about synchronizing passwords, see Reconcile passwords.

  6. Click Onboard, and when the process completes, click Done.

Permissions required for running a scan

You need the following permissions to run a discovery scan:

Stop a discovery process

You can stop a discovery process manually when the discovery is running.

When you stop a discovery:

  • A list of pending accounts is created, which includes accounts that were already discovered. As the discovery is not completed, some account dependencies may not be included.

  • A discovery log is written that contains details about the user who stopped it and the time when it was stopped. This discovery log can be accessed by a link in the Discovery Preview pane. These details are also written in the central CACPMScanner.log file in the PasswordManager\Logs folder.

To stop a running discovery:

  1. In the Privilege Cloud Portal, click Accounts > Pending & Discovery, and then click Discovery Management.

  2. In the Discovery Management page, select the discovery you want to stop, and then click Stop.

    In the message that appears, click Stop Discovery, and then click OK to confirm your action.

    The state of the discovery changes to Stopping and the Last Run Status changes to Stopped.

Delete discovery processes

Delete a discovery process when you no longer need it.

You cannot delete a discovery process while it is running.

To access the discovery processes, in the Privilege Cloud Portal, click Accounts > Pending & Discovery, and then click Discovery Management.

When you delete a recurring discovery, the selected discovery is deleted together with all its details and details of the previous times it ran.

Discovery process statuses

The following table includes a description of all the discovery process statuses.




The discovery is currently running and scanning for accounts.


The discovery is in the process of being stopped. After the discovery has been stopped, its status changes to ‘Stopped’.


The discovery is still waiting to be run and has not yet started.

Completed successfully

The discovery was completed successfully and no errors were encountered during the scan.

Completed with errors

The discovery was completed but errors occurred. You can view the errors that occurred during this discovery in the specific discovery log.

For details, see Scan for accounts using Accounts Discovery.


The discovery failed to run. For example, a failed connection to the Active Directory or a user with insufficient privileges. The discovery stops immediately and updates its status to Failed.

For details, see Scan for accounts using Accounts Discovery.

Discovery error logs

When a discovery scan is not completed successfully, an error log is created that contains the errors that occurred during the scan. After you fix the errors, you can rerun the discovery.

A log is created for discoveries that end in the following ways:

  • Discoveries that end with a failure

  • Discoveries that complete with errors

  • Discoveries that are stopped manually

The discovery errors are in the CACPMScanner.log file, located in the PasswordManager\Logs folder.


When discoveries are deleted, their log files are also deleted. Logs that are created for recurring discoveries are overwritten each time the discovery starts running again.

To view the discovery error log:

  1. In the Privilege Cloud Portal, click Accounts > Pending & Discovery, and then click Discovery Management.

  2. Select the discovery that was stopped.

  3. In the Discovery Preview pane, click the link for the error log file.


    If the discovery finished successfully, an error log is not created and there won't be a link for that discovery scan in the Preview pane.

Timeout error

The log may include an error that indicates the machine reached its timeout limit. This means there was an issue on the machine that caused the scan to stop and wait for a resolution. If the issue was not resolved before the timeout limit is reached, the discovery process moves on to the next machine.

You can define the timeout parameter limit. For more information about setting the timeout parameter, see MachineScanTimeoutInMinutes .