Yes, Password Safe can scan local SQL accounts. You can refer to this KB on how to onboard Microsoft SQL Server Database Managed System and local MS SQL Accounts

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0019885

Hi Howard,

When we run a detailed discovery scan on MS SQL Database it scans the OS and the DB instance but where it does it enumerate the local accounts of the DB instance. When we create a Managed Account Smart Rule, it expects us to know the name of the local accounts inside the DB instance which defeats the purpose of running the scan where the intention is to identify the local account inside the DB instance having admin privileges. 

The same limitation is valid for other DB platforms as well such as Oracle, Postgres.

When we run the detailed discovery scan on a Windows server which enumerates the user, accounts details so then we can create the Managed Account Smart Rule basis what the scan has found. The details of the scan are visible on the Advanced Details as well.

• A Smart Rule must be explicitly configured to include each database account name for it to be visible and managed within Password Safe.
• This means there must have prior knowledge of every individual local database account in order to onboard and manage them — as Password Safe does not automatically associate local database accounts with the database instances.
• This introduces additional administrative overhead and dependency on complete account inventories, which could affect scalability and the efficiency of future onboarding efforts.

1. What does this mean for the discovery and management of local DB accounts? 
2. Are there any alternative recommendations from BT on local DB account management? 

Hi ​@abhatia , I’d recommend testing a seperate discovery scan account specific to the MS SQL database type. I have seen scanning works better when using a specific database type like - MS SQL for example. Also ensure that it has the required permissions. MSSQL Scan Account Permissions -BeyondInsight / Password Safe - BeyondTrust Discovery Agent scan account permissions 

You will need to target specific accounts per the documentation.

That being said, I have a query I use on my SQL Servers to find accounts and bring them in.

SELECT name FROM sys.database_principals WHERE
type_desc = 'SQL_USER' AND [name] not in ('dbo','guest','INFORMATION_SCHEMA','sys')

If I run this against my dev BT instance, I get 1 account. 

If there is a local account but it doesn’t have access to any database, it will not show up in the list. You can also filter accounts by adding them to the “name not in” list.

You can probably also do this by running the query in a script and using the RestAPI to onboard/offload the accounts based on query results.

I would also caution, not all accounts can be managed. You should appreciate the risks of rotating the beyondtrust_user account and the impact that would have on the system.

What I am doing is, I only manage accounts where the SQL password policy is enforced. That means password must be rotated every 90 days or SQL Server will disable the account. Other accounts I treat like a service or non-person account. You can rotate the account, but to avoid breaking applications, I set them to a manual password rotation policy so a proper ticket can be created, an outage scheduled off hours and the account owners can then rotate the password and update their applications.

One final note, the documentation does not say you have to use name. It says, “In this example: User Account Attributes, Account Name, equals, the name of the account.” I will play with this today and see if I can get it to discover all accounts not in my exclude list.