Skip to content

Privileged account discovery

Concepts

Privileged account discovery is a function that allows to find privileged accounts on Windows devices. In addition to reporting, the function optionally imports discovered accounts to the vault as assets linked to each other in a way ready for the credential rotation and privileged access functionality.

The function discovers the following accounts on the Windows devices:

  • Members of the Administrators group.
  • Service logon accounts.
  • Tasks Run As accounts.
  • Application pool identity accounts.

The function discovers both local and domain accounts.

Privileged account discovery is an extension to other asset discovery options that enable continuous load of assets to the Credential Vault from various sources such as Active Directory, VMWare, AWS or Entra ID. The discovery function finds privileged accounts by analyzing individual devices in addition to the continuous import functions that discover assets from the aggregated directories and databases.

How to use

Privileged account discovery is based on the scripts added to the asset task lists. Use the following options to execute scripts individually or in bulk:

  • Execute discovery script interactively on the selected asset.

  • Mass execute discovery script interactively on multiple selected assets.

  • Add the script for the asset type to make it available for multiple assets for bulk execution.

  • Schedule the script to run periodically int the asset type or individual asset task list.

Privileged account discovery supports two modes:

  • Reporting
  • Importing
Privileged account discovery in reporting mode

Execute Windows Discover Privileged Accounts script to discover privileged accounts on Windows device.

The script produces the output in the jobs report in the format depicted on the image below

Privileged account discovery - report

The report includes the following information

  • Domain is the domain of the discovered account
  • Name is the name of the discovered account
  • Account is the full account name in domain or UPN format.
  • IsLocalAdministrator is the flag indicating whether the account is a local administrator
  • UsedByServices is the list of services that run on the device that use this account as a Logon account
  • UsedByTasks is the list of tasks scheduled ont he device that use this account as a Run As account
  • UsedByAppPools is the list of application pools that use this account as a pool identity
  • IsServiceLogon is the indicator whether the account is used by any service
  • IsTaskRunAs is the indicator that the account is used as a run as account in any of the scheduled tasks
  • IsAppPoolIdentity is the indicator that the account is used by any application pool

The site jobs report could be filtered by the script name to include or export mass execution results of the privileged account discovery for multiple assets.

Privileged account discovery in import mode

Execute Windows Discover and Import Privileged Accounts script to discover privileged accounts on Windows device and import discovered accounts to the Credentials Vault.

The functions discovers privileged accounts on the device in the way the Windows Discover Privileged Accounts script does. After the report is complete the function imports each discovered account to the Credentials Vauls.

When the discovered account is a local (non-domain) account the import does the following:

  • Search for the asset using the Host and User criteria.
  • Create new asset in the same container with the Host and User fields in case the asset for the discovered account is not found.
  • Add account asset as a member to the device asset so it could be used to establish privileged sessions to the main device.
  • Add device asset as a shadow member to the account asset so it could be used to manage account password.

When the discovered account is a domain account the import does the following:

  • Search for the asset using the Host and User criteria.
  • Report not found domain account assets to the Event Log
  • Add account asset as a member to the device asset so it could be used to establish privileged sessions to the main device.

Import of domain account does not create assets for security and integrity purposes but relies on the domain account assets are created manually or imported using other mechanisms (for example, CSV import). The discovery process however, adds domain account assets to the device asset to enable remote sessions access and updating service dependencies after the domain account credentials rotation.

Import function for both local and domain discovered accounts is re-enterable in a sense that it could be run multiple times importing only newly discovered accounts and keeping the previously created assets and links intact.

Import function produces event log records for each imported account.