Skip to main content

Hello dear all,

We want to make the Windows local scan accounts manageable by onboarding them into Password Safe using a Managed Account Smart Rule. However, for this to work, the local account must appear under the Advanced Details of the asset before it can be automatically onboarded.

The issue is that, for some managed systems (MS) where we want to onboard the local scan account, these accounts do not show up in the asset’s Advanced Details.

To resolve this, I understand that we need to perform a new scan on those systems using the previous local scan credential, so the system can retrieve and display the local account information. But this process is quite painful, especially considering there are over 30 managed systems, and we’d have to reconfigure all scheduled scans afterward to use the new Managed Account scan credential. As you know, you can’t change the scan credential to a managed account after the scan is created — it must be set during the initial scan setup.

Do you have any suggestions to make the local accounts appear without having to redo all the scans? Or perhaps an alternative approach to achieve the same result with less overhead?

Hi ​@gsacuxipo, I’ve kind of been in your shoes before with scanning in 55k machines, so I fully get wanting to automate this as much as possible.  What I did to get the accounts in the system to start with was just an AD-HOC detailed scan of the machines with credentials that I knew had administrative access to the machines. This will bring in all of the information about the machine (Accounts, services, scheduled tasks, ect). If this information isn’t showing up, its likely a sign that your credential you used didn’t have sufficient access, or possibly a firewall issue, though, typically I’ve noticed its a credential issue. Getting the machines in to become managed systems is the first step, then you can use the credential sync function in password safe to ensure all of the systems have the same password that is being managed by password safe rotation.

Thanks for your inputs, ​@MikeK.

Let’s not forget the option to use the EPM client for local Account discovery and management.

This will eliminate having a scan account, functional account and a bunch of ports open for a complete detailed scan. https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0019047

The down side: No detection of software, Services and scheduled task etc. Only local accounts.

Suggested use would be on Servers in DMZ, Workstation local Admins.

BT is currently working on a change for Cert Auth to OAuth for BeyondInsights/PS Cloud
I don’t see any options for PM Cloud and PS Cloud to configure the OAuth part, seems still to only be possible with the client Cert Auth.

 

Reply


Badge Earners

  • BCA: Remote Support
    CodeEternalhas earned the badge BCA: Remote Support
  • BCIE: Privileged Remote Access
    Mudupurihas earned the badge BCIE: Privileged Remote Access
  • BCA: Endpoint Privilege Management - Windows
    Zubairhas earned the badge BCA: Endpoint Privilege Management - Windows
  • BCIE: Privileged Remote Access
    kcooperhas earned the badge BCIE: Privileged Remote Access
  • BCA: Endpoint Privilege Management - Windows
    30-B-Lohas earned the badge BCA: Endpoint Privilege Management - Windows
Show all badges
Terms & ConditionsCookie settings