Creating a scanner for Domain Controller Accounts

The Discovery feature is able to search domain controllers for accounts with different privilege levels and add them to the relevant safes and/or listeners. This Onboarding process, which grants the discovered accounts access to connections, is a basis of the Discovery feature. Alternatively, the feature can send the accounts to quarantine, which means blocking accounts on the target server.

Note

Before proceeding with creating a scanner, you need to set up:

  • a server that will be scanned for accounts - refer to the Servers section,
  • an administrator’s account on that server - refer to the Accounts section,
  • and a pool to which you want to assign the detected accounts - refer to the Pools section.

Password change policy, password changer, and password verifier can be added later, after saving the scanner.

In order to create a scanner, proceed as follows:

  1. Select Management > Discovery > Scanners
  2. Click Add
  1. Enter scanner’s name.
  2. Select Domain Controller Accounts from the Scanner type drop-down list.
  3. Optionally, enter scanner’s description.
  4. In the Schedule section, choose a day and time for your scanner to start automatically on a weekly basis. This field is optional, so you can skip this step to start your scan manually anytime.
  5. Fill Configuration section with:

7.1. Target server in the Scan on server field.

7.2. Port number to the target server.

7.3. CA certificate.

7.4. Base DN value to indicate the exact location in the domain (optional). Use following format: cn=##username##,dc=example,dc=com.

7.5. Group DN value to indicate the exact group in the domain (optional). Use following format: cn=##username##,dc=example,dc=com.

Note

If Base DN or Group DN is not specified, the scanner will search the entire domain.

7.6. Account to be used to connect to the target server.

7.7. Select Account category to be found (privileged, non-privileged or all).

Note

The Discovery feature identifies privileged accounts within Active Directory (AD) based on specific group memberships that signify high levels of rights and permissions. To be recognized as privileged by the Discovery scanner, accounts must belong to one of four AD’s high-privilege groups:

  • Enterprise Admins (EA),
  • Domain Admins (DA),
  • Built-in Administrators (BA),
  • Schema Admins (SA).

7.8. Select the Pools to which the discovered accounts will be assigned.

7.9. Choose previously defined Rules to set the following actions after the scan. Please note that in case more than one rule is added and their actions overlap, the order of the rules is taken into account: the first matching rule will be applied.

../../_images/5-4-new-scanner-accounts.png

8. In Password Changers section select Password change policy, Password changer, and Password verifier which will be automatically assigned to discovered accounts.

../../_images/5-4-new-scanner-password.png

Note

  • Administrator can predefine password changer variable values in Password changers configuration (refer to the Custom password changers section).
  • Predefining values is optional. If variable is not defined, it will take value from account that password changer is assigned to.
  • Default password changers don’t have predefined variable values.
  1. Click Save.

Related topics: