Skip to content

Privileged Account Discovery

Privileged Account Discovery enables you to automatically detect privileged accounts on Windows devices and optionally import them into the Credential Vault. This feature supports both reporting and importing modes, allowing organizations to identify accounts used for administrative tasks, services, scheduled tasks, and application pools.

The discovery mechanism works at the device level, complementing other asset discovery integrations with sources such as Active Directory, VMware, AWS, and Entra ID.

What Accounts Are Discovered

The discovery process identifies both local and domain accounts used in the following roles on Windows devices:

  • Members of the Administrators group
  • Service logon accounts
  • Scheduled tasks ("Run As") accounts
  • Application pool identity accounts

Using Privileged Account Discovery

Privileged account discovery is executed using predefined scripts assigned to assets or asset types. These scripts can be run in different ways:

Script Execution Options

  • Run interactively on a single asset
  • Run interactively on multiple selected assets (bulk execution)
  • Add the script to an asset type to enable reuse across similar assets
  • Schedule the script to run periodically via asset or asset type task lists

Discovery Modes

Privileged Account Discovery supports two operational modes:

  • Reporting Mode – For visibility and auditing
  • Import Mode – For importing discovered accounts directly into the vault

Reporting Mode

To discover accounts without importing them, execute the following script on the target asset(s):

Windows Discover Privileged Accounts

Output Report

The script generates an output in the asset's Jobs Report, displaying the following data:

Field Description
Domain Domain of the discovered account
Name Account name
Account Full account name (domain\username or UPN)
IsLocalAdministrator Indicates local administrator status
UsedByServices Services using the account for logon
UsedByTasks Scheduled tasks using the account
UsedByAppPools Application pools using the account
IsServiceLogon Whether used by a service
IsTaskRunAs Whether used by a scheduled task
IsAppPoolIdentity Whether used by an application pool

Discovery Reporting Mode - Job Output Example

Tip

Use the site Jobs Report filtering options (e.g., by script name) to review or export results from mass executions for multiple assets.

Import Mode

To both discover and import privileged accounts into the Credential Vault, execute the following script:

Windows Discover and Import Privileged Accounts

This script performs the same discovery operation as in reporting mode, but additionally imports discovered accounts into the vault and links them with relevant assets.

Importing Local Accounts

When a discovered account is a local (non-domain) account, the import process:

  1. Searches for an existing asset using host and user criteria.
  2. Creates a new asset (with host and user) in the same container if no match is found.
  3. Links the account asset as a Member of the corresponding device asset (for privileged sessions).
  4. Links the device asset as a Shadow Member of the account asset (for credential rotation).
Importing Domain Accounts

When a discovered account is a domain account, the import process:

  1. Searches for an existing asset using host and user identifiers.
  2. Logs any not-found domain accounts in the Event Log.
  3. Links the account asset as a Member of the device asset (for privileged session use).

Note

Domain accounts are not automatically created for security and integrity reasons. These accounts must be pre-imported via CSV or other import mechanisms. However, the discovery process will still link them to relevant assets, enabling session access and password rotation dependency updates.

Importing Domain Service, Tasks or App Pool Accounts

When a discovered account is a domain account found to be used for Windows services, scheduled tasks or application pools, during the Import process:

  1. Pre-create and enable an LDAP integration to the Active Directory domain controller where these domain accounts reside.
  2. Pre-create one asset to store Domain Administrator credentials using the LDAP Administrator asset type, which will used to manage the passwords of these imported accounts.
  3. Schedule the Import of Active Directory Domain Service Accounts. During this import process, several service accounts will be created as assets, using the LDAP User type, in the vault, and the pre-created Domain Administrator asset will be added as each of the asset's Shadow Member. This Domain Admin account can then be used to manage the password of each domain service account.

Import Domain Service Account Example

Note

The Service Account import Query must return all domain service accounts, and only those domain service accounts, that are to be managed in the Credential Vault. Modify the Query as required.

Repeatable Execution and Logging

The import process can be repeatable meaning it can be executed multiple times without duplicating assets. Only new accounts are imported, while previously created assets and linked relationships remain unchanged.

Each imported account generates an event log entry for traceability.