DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Discovery

Suggest Edits

What is discovery in Vault?

Discovery in Vault refers to the process of scanning and importing privileged credentials from external sources, such as Active Directory or local accounts, into BeyondTrust Vault. This process can be done manually or through the built-in discovery tool.

How is discovery useful in Vault?

Discovery simplifies credential management by automatically finding and importing privileged credentials into Vault. This ensures that credentials are securely stored and centrally managed, enhancing security and reducing the risk of manual errors in credential handling.

How do I access the Discovery page?

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. From the main menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.
  3. Click the Discovery tab.
    The Discovery tab displays.

The Discovery page

Image of Discovery page and all its settings.

  1. Left menu: Easy access to all pages in Privilege Remote Access, including Home, Status, Consoles & Downloads, My Account, Configuration, Jump, Vault, Console Settings, Users & Security, Reports, Management, and Appliance pages.

  2. Status: Takes you to the Status page.

  3. Header: Change tenant site and obtain user profile setting information.

  4. Add:- Adds a new Disccover Job.

  5. Discovery columns: The list of columns for a discovery job.

    Discovery columns
    • Type: Defines the type of a discovery job, either a Domain or Jump Client.
    • Target: .
    • Last Activity: The date/time the account was last used.
    • Performed By: Indicates the creation method of the discovery job, either manual or imported.
    • Status: Indicates the status of the discovery job. For example, Successful or Failed.

  6. View Results-Click the link to view Discovery results.


Initiate a discovery job

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.

  2. From the main menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.

  3. Click the Discovery tab.
    The Discovery tab displays.

  4. Click New Discovery Job.
    The Discovery: New Job page displays.

  5. You have the following two options to choose:

    • Windows Domain
    • Local Windows Accounts on Jump Clients

      ℹ️

      Note

      The Local Windows Accounts on Jump Clients option only displays if you have the Jump Clients permission located in Users & Security > Users > Access Permissions > Jump Technology. If you have any issues, contact your site administrator.

  6. Select Windows Domain (default value), and then click Continue.
    The Discovery: Windows Domain page displays.

  7. You are presented with the option to select a new or existing domain to discover. The default value is New Domain, select Add a New Domain. If a domain does exist, select Existing Domain and select from the dropdown.

  8. For DNS Name of the Domain, enter a valid fully qualified DNS name for the domain you are performing the discovery action on.

  9. For Jumpoint, enter a valid Jumpoint.

    📘

    Note

    Discovery is currently supported on Windows Jumpoints.

  10. For Management Account, select either New Account (default value) or Existing Account.

New Account
  • Username: The valid username of a domain. For example, [email protected].
  • Password: The password of the account.
  • Confirm Password: Confirmation password of the account.
Existing Account
  • Search for an account: Type the name of an existing account.

📘

Note

  • This account is used to connect and perform the discovery of accounts and endpoints of the specified domain.
  • This account should be a functional account and only requires password change and reset permissions.
  1. Click Save and Continue.

Define the discovery scope

  1. Select the types of objects you wish Vault to discover:

    • Domains Accounts
    • Endpoints
    • Local Accounts
    • Services

ℹ️

Note

Discovery of Services is available only if Domain Accounts, Endpoints, and Local Accounts are selected. Only Windows service accounts are discovered.

  1. Enter a Search Path, or leave it blank to search all OUs and containers.
  2. Click Browse to refine your search by specifying which OUs to target.
  3. Use the LDAP Query field to narrow the scope of user accounts and endpoints searched.
  4. Once the scope is defined, click Start Discovery.

ℹ️

Tip

The discovery process can take some time. While discovery is underway, the Discovery Progress page appears and tracks the number of accounts and endpoints discovered.


Import discovered endpoints, accounts, and services

Once the discovery job is complete, a Discovery Results page appears.

You can switch between the Endpoints, Local Accounts, Domain Accounts, and Services tabs to view the discovered items and import them. When you import items, they are saved for later use in your Vault.

  • Endpoints: Shows the Name and Description of the endpoints discovered, as well as their Operating System and Distinguished Name.
  • Local Accounts: Shows the Username, Endpoint (system associated with account), Description, Last Login Date, Password Age, and Status for all discovered local accounts.
  • Domain Accounts: Shows the Username, Distinguished Name, Description, Last Login Date, Password Age, and Status for all discovered domain accounts.
  • Services: Shows the Display Name (Description) (name displayed in Services snap-in), Short Name (name used by Service Controller command line tool, Endpoint (system where service is used) , and Username (account used to run the service) for all discovered service accounts.

ℹ️

Note

Only services that use an account other than a built-in account to run are returned in the discovery results.

The user must have permission to use Remote RDP Jump Technology in order to import discovered endpoints.


Import selection

From the Discovery Results page, to import discovered items follow these steps:

  1. Choose any of the tabs: Endpoints, Local Accounts, Domain Accounts, or Services.
  2. Select the items you wish to import, and then click Import Selected.

ℹ️

Note

You can filter the list of items based on their attributes using the filter box above the grid. For each tab, click the i next to the filter box to see which attributes can be searched.

  1. The Import Discovered Items page appears, listing the number of endpoints, accounts, and services selected for import. If importing endpoints and services, select a Jump Group from the list or select the Do not create Jump Item option. If importing accounts, select an Account Group from the list.
  2. Click Start Import.
  3. A status page appears, indicating the import completed successfully, and lists the number of endpoints, accounts, and services imported. You can click the links to view the specific items that were imported. Click Done Importing to close the status page.

Upon successful import, the accounts, endpoints, and services are listed on the Accounts, Endpoints, and Services pages in Vault.

On the Accounts page, the endpoints associated with the shared accounts are indicated for each account, and if the account is used to run a Windows service, this is indicated in the Status column.

On the Endpoints page, the number of accounts, Jump Items, and services associated with each endpoint is indicated. You can view the specific associated accounts, Jump Items, and services when you click the links.

ℹ️

Note

For imported endpoints, RDP Jump shortcuts are created with an automatic association to local accounts.

For more information about Jumpoints, see the Jumpoint guide.

Click the Select visible columns button above the grid to customize the columns displayed in the grid.

Non-domain linked endpoints can be associated with RDP items for improved security and user experience. To create the association, follow these steps:

  1. Click Jump Items on the Endpoints screen.
  2. Click Add and select Add Remote RDP Jump Shortcut or Associate Existing RDP Jump Shortcuts.
  3. If associating an existing shortcut, click the shortcut(s) to add, and then click Associate Selected.

On the Services page, the endpoints and accounts associated with each service are indicated, as well as the last status of the service. Also, from the Services page, you have the option to restart the service upon rotation of the service account by checking the Restart box for the service.

Initiate a discovery job for an existing domain

Discovery jobs can be initiated on domains that have already been added or imported to BeyondTrust Vault. You can initiate a discovery job from the Vault > Domains page and from the Vault > Discovery page.

Initiate discovery job from the Domains page

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.

  2. From the main menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.

  3. Click the Domains tab.
    The Domains page displays.

  4. From the Domains list, select a domain.

  5. Click the Discover button Use for discovery of an existing domain. for the domain.

  6. Define the scope of the discovery, and then click Start Discovery.

  7. Select the items to import from the discovery results and start the import.

Initiate discovery job from the Discovery page

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.

  2. From the main menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.

  3. Click the Discovery tab.
    The Discovery Jobs page displays.

  4. Click New Discovery Job.
    The Discovery: New Job page displays.

  5. Leave the default Windows Domain option selected, and then click Continue.

  6. Select Existing Domain.

  7. Select the domain from the dropdown list.

  8. Click Continue with Existing Domain.

  9. Define the scope of the discovery, and then click Start Discovery.

  10. Select the items to import from the discovery results and start the import.


Schedule discovery jobs

Discovery jobs can be scheduled to run on defined days and times, avoiding the need for manually initiating new jobs on regularly updated workspaces.

Schedule discovery job for a new domain

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.

  2. From the main menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.

  3. Click the Domains tab.
    The Domains page displays.

  4. Click Add.

  5. For DNS Name of the Domain, enter a valid fully qualified DNS name for the domain you are performing the discovery action on.

  6. For Jumpoint, enter a valid Jumpoint.

    📘

    Note

    Discovery is currently supported on Windows Jumpoints.

  7. For Management Account, select either New Account (default value) or Existing Account.

    New Account
    • Username: The valid username of a domain. For example, [email protected].
    • Password: The password of the account.
    • Confirm Password: Confirmation password of the account.
    8. Existing Account

    • Search for an account: Type the name of an existing account.


    📘 Note

  8. This account is used to connect and perform the discovery of accounts and endpoints of the specified domain.

  9. This account should be a functional account and only requires password change and reset permissions.

  10. Click Save and Continue.

  11. Set the options in the Scheduled Domain Discovery section.

  12. Click Save. The discovery job runs on the days and time you specify.

  13. To import items discovered from a scheduled job:

    1. Sign into app.beyondtrust.io.
      The BeyondTrust Home page displays.

    2. From the main menu, click Privileged Remote Access > Vault.
      The Vault page opens and the Accounts tab displays by default.

    3. Click the Discovery tab.
      The Discovery Jobs page displays.

    4. Locate the completed scheduled job. (Scheduled jobs are indicated as being performed by System.)

    5. Click View Results for the completed job.

    6. Import selected items.

Schedule a discovery job for an existing domain

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. From the main menu, click Privileged Remote Access > Vault.
    The Vault page opens and the Accounts tab displays by default.
  3. Click the Domains tab.
    The Domain page displays.
  4. Click the pencil icon to edit an existing domain from the list.
  5. From the Scheduled Domain Discovery section, click the Enable Schedule Delivery checkbox.
  6. Select the days and time for the schedule.
  7. Select the objects in the Discovery Scope section, and then click Save.















DNS name of the domain

Enter the DNS name for your environment.

Jumpoint

Choose an existing Jumpoint located in the environment where you wish to discover accounts.

Management account

Select the management account needed to initiate the discovery job. Choose to use a new account, which requires a Username, Password, and Password Confirmation to be entered. Or, choose to use an existing account discovered from a previous job or added manually in the Accounts section.

Username

Enter a valid username to use for discovery (username@domain).

Password

Enter a valid a password to user for discovery.

Confirm password

Re-enter the password to confirm.

ℹ️

Note

You can define which parts of a domain to run a Discovery/Import job. Once you select the required fields for a Discovery Job, you can refine the search by specifying which OU’s to target or entering LDAP queries.

Discovery scope

Select the objects you wish Vault to discover:

  • Domain Accounts
  • Endpoints
  • Local Accounts
  • Services

You can enter a Search Path, or leave it blank to search all OUs and containers. You can also use an LDAP Query to narrow the scope of user accounts and endpoints searched.

Discovery: Jump Client search criteria

Enter one or more search criteria to find active Jump Clients you'd like to use to discover local Windows accounts. All text field searches are partial and case-insensitive. Jump Clients that match all the search criteria will be displayed on the next page for you to select before discovery begins.

ℹ️

Note

The following types of Jump Clients cannot be used for local account discovery and will not be included in the search results:

  • Jump Clients that are currently offline or disabled
  • Jump Clients that are not running as an elevated service
  • Jump Clients that are installed in a domain controller

Jump Groups

Administrators can search for Jump Clients via their Jump Groups and their attributes. If the user is not a member of any Jump Group, the Jump Groups selection section is grayed out and either a tool tip or note is shown indicating that user must be a member of at least one Jump Group to proceed with the Jump Client discovery process. This is similar to how domain discovery works when a user is not a member of a Jumpoint during discovery or not a member of a Jump Group when importing an endpoint.

You can search All of Your shared Jump Groups or Specific Jump Groups.

Jump Client attributes

You can select one or more shared Jump Groups. Private Jump Groups are not supported.

One or more Jump Client attributes can be entered. If more than one search criteria is entered, only Jump Clients matching all criteria are used for discovery.

The following attributes can be used as search criteria:

  • Name: The Jump Client's name as it appears in the Name column in the access console.
  • Hostname: The Jump Client's hostname as it appears in the Hostname/IP column of the access console.
  • FQDN: The Jump Client's fully qualified domain name, as it appears under the FQDN label of the Jump Client details pane in the access console.
  • Tag: The Jump Client's tag as it appears in the Tag column of the Representative Console.
  • Public/Private IP: The Jump Client's public and private IP addresses, as they appear under the Public IP label of the Jump Client details pane in the access console. Jump Clients whose IP address starts with the given search value will match.

Click Continue to initiate the discovery.

Discovery: Select Jump Clients

This screen displays the Jump Clients that will be used in discovery. Select one or more and click Start Discovery.

Discovery results

The results display a list of discovered Endpoints and Local Accounts. Select one or more and click Import Select.

Import discovered items

A list of the selections you made displays.

Account group

Select from which account group you want to import, then click Start Import. A warning display indicating this process cannot be stopped once it has started. Click Yes to proceed, or No to abort.

Importing

A message displays indicating the import was completed successfully. A list of Endpoints and Local Accounts displays.

Accounts

Search shared/personal accounts

If you get an extensive list of accounts discovered, use the Search field to search accounts by Name, Endpoint, or Description (by Name and Description only for personal accounts).

Toggle between Shared and Personal accounts. Select one or more accounts. Click ... to Rotate Password, Edit or Delete the account. You can also click Rotate at the top of the page to rotate the password for the select accounts.

Discovery jobs

View discovery jobs that are in progress for a specific domain, or review the results of successful and failed discovery jobs.

View results

Click View Results for a discovery job to view the Discovery Results, which includes discovered endpoints, local accounts, domain accounts, and services found in the domain.

You can filter the list of items based on their attributes using the filter box above the grid. For each tab, click the i next to the filter box to see which attributes can be searched.

Select which endpoints, accounts, and services to import and store in your BeyondTrust Vault instance. For each list item you wish to import, check the box beside it and click Import Selected.\

Updated 17 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.