Account Discovery

Along with Password Management, the Account Discovery feature is an integral part of Syteca's Privileged Access Management (PAM) functionality.

The Account Discovery feature allows both:

1. Accounts discovery: Automatic network scanning to detect a list of user accounts in a specific domain.

2. Account onboarding: Adding new Password Management account secrets by onboarding the user accounts discovered to the vault using the account parameters (i.e. Login, rotated Password, and Domain (for Active Directory accounts) or Computer name (Windows local accounts)).

To discover accounts, account discovery rules must first be created.

Both new and modified Active Directory and Windows local accounts can then be discovered on the network automatically by running the rules (to perform network scans), and then these accounts selectively onboarded into new Password Management account secrets, either individually or by using Bulk Action to onboard multiple accounts simultaneously, and without needing to know their credentials.

NOTE: For Active Directory and Windows local accounts to be discovered, the associated LDAP Target must first be added on the LDAP Targets tab (on the Configuration page).

NOTE: The Account Discovery page is only available for use by Management Tool users with the administrative Privileged Accounts Management permission and with a PAM seat license.

Table of Contents

1. Viewing (and Managing) Accounts Discovery Rules

To view (and edit or delete) existing account discovery rules, do the following:

1. Log in to the Management Tool as a user with the administrative Privileged Accounts Management permission.

2. Click the Account Discovery navigation link (on the left).

3. On the Account Discovery page that opens, select the Rules tab which displays a list of all existing rules added, where the following info is displayed in the corresponding columns for each rule in the grid:

• Name: The name of the account discovery rule, along with a color-coded Status icon for the last time the rule was run, where the status can be either:

-

-

-

-

• Type: Either:

- Active Directory (

- Windows (

• Last Run Time: The date & time when the rule was last run (not displayed if the rule has never been run).

NOTE: The date & time displayed can be clicked on to open the Tasks List tab in a new browser tab filtered by the rule.

• Next Run Time: The date & time when the rule is scheduled to run next (only if Scheduled Discovery is enabled in the rule).

• Description: The description of the account discovery rule.

• The Start (

4. To edit a rule (and optionally delete it by clicking the Delete button while editing), click anywhere on the corresponding row displayed in the grid (and edit it in the popup window that opens, in a similar way to as when adding a rule – see below).

2. Adding (and Running) Account Discovery Rules

To add (and run) a new account discovery rule, do the following:

1. Log in to the Management Tool as a user with the administrative Privileged Accounts Management permission.

2. Click the Account Discovery navigation link (on the left).

3. On the Account Discovery page that opens, select the Rules tab which displays a list of all existing rules added in the grid.

4. Click the Add button (in the top right of the Rules tab).

5. In the Add Discovery Rule pop-up window that opens, specify the required values to configure the parameters in the following sections:

•  General:

- Rule name: Enter a name for the account discovery rule (where only unique names are permitted).

- Description (optional): Enter a description for the account discovery rule.

- Type: Select either:

- Active Directory Discovery: For Active Directory domain admin privileged accounts (i.e. with domain administrator permissions).

- Computer Discovery: For Windows local privileged accounts on the computers with administrator permissions (i.e. local computer users in the Administrators group).

- Source domain: Select a domain from the list of all domains added as associated LDAP targets on the LDAP Targets tab (on the Configuration page).

- Discover accounts from specific OUs / groups (optional): Select one or multiple organizational units / groups in the drop-down list (i.e. from those in the selected Source domain).

- Select account to use for scans: Select a Password Management account secret in the drop-down list of Active Directory secrets displayed (i.e. in the domain selected as the Source domain above) to run the network scan under, that the user has the Owner/Editor Role Type permissions for.

NOTE: The "Add Secret" button can be clicked to add a new Active Directory account to the drop-down list of Active Directory secrets displayed (by adding a secret in the usual way on the Password Management page that opens in a new browser tab).

• Scheduled Discovery (optional): Enable the toggle (on the right) to set the account discovery rule to run network scans automatically according to a schedule, as specified below:

- Recurring scans every: Specify the frequency for recurring network scans (either in days or in hours).

- Start at: Specify the start time for a scans (if the frequency is specified in days).

• Actions:

- Send email notification about new accounts found to (optional): Select the users to be notified by email about new accounts discovered when a network scan is Completed (or when a scan Completed with errors), where multiple users can be selected.

NOTE: The corresponding users must have an Email address specified in their user account (i.e. when editing or adding a user on the User Management page).

6. Click the Save button to add the new account discovery rule (which is then displayed in the grid on the Rules tab).

7. To run a discovery rule manually at any time (whether Scheduled Discovery is enabled in it or not), click the Start (

NOTE: While an account discovery scan is running, if the secret specified in the “Select the account to use for scans” drop-down list of the rule has either of the following checkboxes selected (when editing or adding the secret):

• “Enable remote password rotation” (on the secret’s "Automation" tab): Remote password rotation is postponed and the "Rotate Now" button is disabled.

• “Requires check out” (on the secret’s "Security" tab): The secret’s password is checked out (by the system), so the secret cannot be used by another user.

8. When a discovery rule is run (either manually, or automatically if Scheduled Discovery is enabled in the discovery rule), the corresponding Account Discovery task is added to the list on the Tasks List tab (on the System Health page), where either:

• The task can be Canceled (while its status is Queued or In progress) by clicking the Cancel (

• The task’s log file can be downloaded (when it’s status is Finished or Failed) by clicking the Download Logs (

If a task Failed (or does not start), this may be due to any of the following reasons:

• The secret specified to use for the scan (i.e. the secret selected in the Select account to use for scans field of the discovery rule), has any of the following issues:

- Remote password rotation has failed (i.e. the secret's most recent password rotation failed).

- The account credentials stored in the secret are invalid.

- The secret is currently in use by another user, i.e. the secret’s password is checked out by another user (if the Requires check out checkbox is selected on the secret’s Security tab).

- The user account in the secret does not have the required domain admin privileges (i.e. the privileges for a user in the Domain Admins or Enterprise Admins user group).

- The user does not have approval (on the secret's Restrictions tab).

• The LDAP Target (added on the Configuration page) associated with the discovery rule does not exist (e.g. because it has been deleted).

NOTE: If the system fails to scan any user accounts on computers in a rule of the Computer Discovery type, the Account Discovery task has the "Failed" status (and the rule has the "Completed with errors" status), while user accounts discovered on other computers are added and displayed on the Privileged Accounts tab).

9. When an account discovery task is completed (i.e. when its status is Finished or Failed, an email is sent to the email address(es) of the user(s) specified in the (Send email notification about new accounts found to field) of the rule.

3. Viewing Accounts Discovered

To view (or delete) accounts discovered, do the following:

1. Log in to the Management Tool as a user with the administrative Privileged Accounts Management permission.

2. Click the Account Discovery navigation link (on the left).

3. On the Account Discovery page that opens, on the Privileged Accounts tab that opens (on both the Active Directory and Windows local sub-tabs), a list of accounts previously discovered by rules that have been run (i.e. Completed or Completed with errors) are displayed in the grid with the following columns:

• 

• Login: The user login name for the account discovered.

• User Name: The First Name and Last Name specified in the account discovered.

• Status: Either:

- 

- 

- 

• [For Windows local accounts only:] Computer: The name of computer which the account was discovered on.

• Discovered: The date & time when the account was last discovered.

• Secret Name: The name of the secret that was created for this account (if onboarded).

• Discovery Rule: The name of the account discovery rule that discovered the account.

NOTE: If the same account was discovered by multiple rules, only one record (row) is added to the list in the grid, where the name of the rule that was last run is used.

NOTE: If the rule associated with the account was deleted, the name of the rule is displayed in the following format: <Discovery rule name> (deleted)

To delete any Unmanaged or Expired accounts, select the checkboxes (

NOTE: Checkboxes are only displayed for Unmanaged and Expired accounts.

To search the accounts in the list, enter the name (or part of the name) in the Search box (in the top right of the page) to search by Login, User Name, Computer (for Windows local accounts only), or Secret Name.

To filter the accounts in the list, use the various filters (at the top of the page).

4. Onboarding Accounts Discovered

To onboard the accounts discovered (into new secrets), do the following:

1. Log in to the Management Tool as a user with the administrative Privileged Accounts Management permission.

2. Click the Account Discovery navigation link (on the left).

3. On the Account Discovery page that opens, on the Privileged Accounts tab, (optionally use the filters e.g. the Status filter to select only Unmanaged accounts, and then) either:

• To onboard a single account: Click on the Unmanaged (

• To onboard multiple accounts simultaneously: Select the checkboxes (

4. In the Onboard Account(s) pop-up window that opens, on the Properties tab, specify the required values to configure the parameters to be used for the new secret(s) that will be added when onboarding the account(s) in the following sections:

• General:

- Enter a Secret Name (not available when multiple accounts are selected using Bulk Action, as in this case the secret names are generated automatically).

- Optionally click the Change button (on the right) to change the folder that the secret(s) will be added to (where the user can select any folder they have the Owner/Editor Role Type permissions for).

• Password Settings: Select either:

- Use automatically generated password for the secret(s) to be added.

- Specify password manually, and then enter a password to be used for the secret(s) to be added.

• Account for Password Rotation [Only available for onboarding Windows local accounts:]: Specify the account to be used for remote password rotation (which must first be configured on the corresponding host (e.g. remote computer)) in the new secret(s) that will be added, by selecting either:

- Select secret, and then select a secret in the drop-down list (which contains a list of both the Active Directory and Windows account secrets that the user has the Owner/Editor Role Type permissions for).

NOTE: The "Add Secret" button can also be clicked to add a new Active Directory or Windows account secret to the drop-down list (by adding the secret in the usual way on the Password Management page that opens in a new browser tab).

- Enter credentials, and then enter the User name and Password of an existing account with local admin privileges (where it is recommended to use the same account credentials that were selected in the associated account discovery rule, in the Select account to use for scans field).

NOTE: For Active Directory accounts, remote password rotation is performed during the onboarding process using the account defined in the associated LDAP Target (added on the Configuration page).

NOTE: For Active Directory accounts, when an automatic LDAP target is used on the computer where Syteca Application Server is installed, the EkranServer service must be run under a domain admin account.

5. On the Automation, Security, Permissions, and Restrictions tabs, configure the settings in the usual way (as when editing or adding a secret on the Password Management page).

6. Click the Onboard button (in the bottom right of the pop-up window) to onboard the account(s) i.e. to add the associated secret(s) for the account(s).

7. On the System Health page, on the Tasks List tab, the progress of the Account Onboarding tasks (for each of the corresponding accounts) can then be viewed (and optionally Canceled while Queued or In progress).

8. When a task is Finished, the corresponding account is onboarded and has the Managed (