Creating a scanner for local accounts

The Discovery feature is able to search Windows servers in a pool for local accounts and add them to the relevant safes and/or listeners. Alternatively, the feature can send the accounts to quarantine, which means blocking accounts on the target server.

Note

Before proceeding with creating a scanner, you need to set up:

  • a pool of servers that will be scanned for local accounts - refer to the Pools section,
  • an administrator’s account with access to all scanned servers - refer to the Accounts section.

Password change policy, password changer, and password verifier can be added later, after saving the scanner.

In order to create a scanner, proceed as follows:

  1. Select Management > Discovery > Scanners
  2. Click Add
  1. Enter scanner’s name.
  2. Select Windows Local Accounts from the Scanner type drop-down list.
  3. Optionally, enter scanner’s description.
  4. In the Schedule section, choose a day and time for your scanner to start automatically on a weekly basis. This field is optional, so you can skip this step to start your scan manually anytime.
  5. In Configuration section:

7.1. Select the pool of servers, where scanning will be performed.

7.2. Specify port number in the Port field.

7.3. Provide CA certificate.

7.4. Select Account to be used to connect to the target server.

Note

In order to use one scanner to scan local accounts on multiple Windows servers, an administrator account with exactly the same authentication method must exist on every scanned server.

7.5. Choose previously defined Rules to set the following actions after the scan. Please note that in case more than one rule is added and their actions overlap, the order of the rules is taken into account: the first matching rule will be applied.

../../_images/5-4-new-scanner-local-accounts.png

8. In Password Changers section select Password change policy, Password changer, and Password verifier which will be automatically assigned to discovered accounts.

Note

  • Administrator can predefine password changer variable values in Password changers configuration (refer to the Custom password changers section).
  • Predefining values is optional. If variable is not defined, it will take value from account that password changer is assigned to.
  • Default password changers don’t have predefined variable values.
  1. Click Save.

Related topics: