Hi All,
I am trying to explore options for bringing in 1500+ AD objects from AD domain without using AD group option (I agree which is best and most suitable option).
Kindly help to share if there are any other options to achieve this apart from using AD group.
is this for user management or for managed accounts?
If you're looking to bring in 1500+ Active Directory (AD) objects into BeyondTrust Password Safe without using AD groups, here are several alternative methods you can explore:
Smart Rules can be configured to pull in AD accounts based on custom filters, not just group membership.
This allows you to target specific sets of AD objects without relying on group membership.
🔗 Smart Rules documentation [Smart Rule...dtrust.com]
You can use the BeyondInsight Password Safe API to import AD accounts programmatically.
This method is flexible and scalable for large imports.
🔗 API documentation
You can run a Discovery Scan and then manually select which AD accounts to import.
🔗 Getting Started Guide [Password S...dtrust.com]
Here’s a sample PowerShell script that uses the BeyondInsight Password Safe API to import AD accounts in bulk without using AD groups. This script assumes you have a list of AD accounts in a CSV file and valid API credentials.
NOTE this is not supported and is used at your own risk.
Sample csv format:
AccountName,Domain,Description
svc_account1,corp.local,Service Account 1
svc_account2,corp.local,Service Account 2
powershell script (see note)
# Set API credentials and endpoint
$apiBaseUrl = "https://your-beyondinsight-server/api/public/v3"
$apiKey = "your-api-key-here"
$csvPath = "C:\ADAccounts.csv"
# Read CSV
$accounts = Import-Csv -Path $csvPath
# Loop through each account and create it
foreach ($account in $accounts) {
$body = @{
"AccountName" = $account.AccountName
"DomainName" = $account.Domain
"Description" = $account.Description
"PlatformId" = 1 # Adjust based on your platform (e.g., Windows, Linux)
"ManagedSystemId" = 123 # ID of the system this account belongs to
"IsManaged" = $true
}
$jsonBody = $body | ConvertTo-Json -Depth 3
$response = Invoke-RestMethod -Uri "$apiBaseUrl/accounts" `
-Method POST `
-Headers @{ "Authorization" = "PS-Auth $apiKey"; "Content-Type" = "application/json" } `
-Body $jsonBody
Write-Host "Imported account: $($account.AccountName)"
PlatformId and ManagedSystemId with actual values from your environment.Hello Frank,
We are also having similar requirement to bring in all AD accounts into BeyondTrust User Management section (Irrespective of if they are assigned with any BeyondTrust specific AD group)
Could you please help with specific smart rule configuration?
I was trying to create smart rule using directory query but facing issue for selection of domain name from dropdown.
Create the Smart Rule to run the directory query and add managed account -
I don't see any domain name being shown. How can I populate domain name? Where shall I need to configure that.
Thanks,
Prasad
Hi Frank,
This is required for managed accounts. OU option is also not feasible and separate OU may not be created.
Also, with the shared script block, it should be used under AD Domain managed system ID or any other domain joined asset? It would be helpful if you can help to clarify on that so that we can try to modify it further and test it.
Also, with this script option, I think it will only onboard specific set of accounts and does not cater/help with new accounts which might need to be onboarded as well to PS in future.
Please share your views. Thanks.
Directory queries are the way in my opinion. You can include all accounts but also exclude some accounts.
In this criteria, I am using a smart rule to do reporting. I want all service accounts where the password age is greater than 1-year. I also have a security group where I add service accounts with an exception to the 1 year rule. This gives me a list of all the service accounts I care about from a compliance point of view.
This is just one way to do it. Directory Queries can be very powerful and mixed with a smart rule, you can include and exclude just about anything.
Directory queries are the way in my opinion. You can include all accounts but also exclude some accounts.
In this criteria, I am using a smart rule to do reporting. I want all service accounts where the password age is greater than 1-year. I also have a security group where I add service accounts with an exception to the 1 year rule. This gives me a list of all the service accounts I care about from a compliance point of view.
This is just one way to do it. Directory Queries can be very powerful and mixed with a smart rule, you can include and exclude just about anything.
Could you please help me with earlier query in this thread.
I was trying to create smart rule using directory query but facing issue for selection of domain name from dropdown.
Create the Smart Rule to run the directory query and add managed account -
I don't see any domain name being shown. How can I populate domain name? Where shall I need to configure that.
Thanks,
Prasad
When you create the directory query, you will first add your bind account from the Credential pulldown.
Next, you will click the Browse button for the query target
Type in your domain, click load domains and then select the domain from the pulldown
When you have that, select the Select This Path button.
You can find instructions for creating directory queries here - https://docs.beyondtrust.com/bips/docs/bi-assets#create-a-directory-query
The actual instructions will be almost to the bottom of the page.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
