You may want to review the subscriber account feature, it can link to mulitple managed account and they will all share an identical password.

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0018997

That’s not what I’m trying to do.  I don’t want the passwords the same.  I just want the managed system or systems each account is used on to show up in Linked systems for each managed account without having to do it manually for each one.  This info is in the discovery data, shouldn’t there be a way with “smart rules” to do this?

So I figured a way to do this individually. I can create a managed system smart group that has

Windows Service Log on identities

User Identity = the account name or user identity = domain\the account name.

Then I need a managed account smart group that has

Managed Account Fields

Account Name = the account name

Actions:

Link domain accounts to managed systems and select the managed system smart group from above.

This does work.  However, with 30 accounts, I need now 60 total smart rules just to make this happen.

Surely there is some way to do this with fewer rules?

Have you tried groups? i.e. create security groups for the accounts and a security group for the systems.

This will allow you to map the groups to the system groups. If a SQL account is the same on two systems, you just avoided creating one set of rules.

This is how I map domain admins to domain controllers for instance. If you are a member of the domain admins security group, you have all the domain controllers found in the domain controllers OU. If there is already a good method of systems, i.e. the domain controllers OU, use that but otherwise, you can use a group.

If it is just 1 account for 1 system and there are 30 systems, then you will need to do the 1:1 mapping rules (60 rules).

The benefit to using groups, is you don’t have to change rules to add or remove accounts from the system, you just add/remove users, service accounts from/to the managed accounts security group in AD or you add/remove systems on the managed systems security group in AD. This also makes a server replacement much easier.

You can also reuse some of these groups when mapping your server admin groups. We have a group for our server engineers that have admin on every server in the company so 1 rule for that group, 1 system rule to give them all the servers. Enterprise SQL DBA’s, same thing. A group for all the SQL Servers, a group for the DBA’s and 2 smart rules, 1 directory query.

Another benefit, as long as all administrators on the system are all in a domain security group, you can simply map that group.

The only problem I have is the one-offs. A security group for a team of people with access to a handful of servers and someone wants to add an account to only one of those servers so that’s potentially two new rules. One for just the system they need and one for the new user account.

It seems in this case I’d still need to maintain AD groups to link the accounts to the systems.  I was trying to find an automatic way to do this using the discovery data.  The info is there, you can see it in the reports when you run them.    We are coming from Secret Server to Password Safe.  In Secret Server “dependencies” are automatically added to each account that is running them with a small generic set of discovery rules.  I can then go to the service account in secret server, click on dependencies and see each server and service running that account.  in Password Safe it seems the only way to see that is by running a report for the account

I have this down to 2 smart rules. However, it will find all the systems where the service is installed and then map all those systems to the account(s). In my case, I have a few ADFS servers. I created a system smart rule to get all servers with the service name is adfssrv. This returns 3 servers since we are in the process of getting rid of ADFS for EntraID.

For the service account smart rule, I am using the “is one of” clause and adding multiple service accounts to that rule. Then I tie that rule to the assets smart rule for the ADFS servers. 

The problem with this approach is there is 1 server in the list that has old scan data. ADFS is not installed on this server any longer so I need to run a fresh scan of the system.

Second, any account in the account smart rule will map to all the servers with the service. 

Essentially, I just replaced the groups method with the service itself. 

If this is of interest to you, I can send you screenshots. 

You’re using this in a managed account linking rule, or you’ve already linked these accounts to these systems in another way? 

I did this

1)create asset smart rule for assets with Services that equal MSSQLSERVER or SQLSERVERAGENT

2)Create managed account smart rule that includes ALL items that match the above asset smart group, AND items where the managed account fields is one of our many SQL SVC accounts.

If I try this, I get no results. 

However, if I then go in manually link one of these SVC accounts to the systems they are used on, the results of this rule then shows the account that is linked to systems, but none of the other accounts.

Do you have the linking in your smart rule? This is in the managed accounts smart rule

If I do that, it links each account to every system in the asset smart rule.   I only want to link each account to the systems they are actually running services on.

That’s the rub. Map them 1:1 for the 60 rules, or map them in bulk.

I’ll keep playing with it, if I get it working, I’ll come back here and post.