Enterprise Administration Guide › Implementing Privileged Accounts › How to Set Up Password Consumers › Discover Service Accounts

Discover Service Accounts

Service Accounts are internal accounts used by Windows services. These services provide core operating system and other functionality to the computer. You can protect these services from potential attacks by managing the service account passwords from CA Access Control Enterprise Management.

You can discover service accounts that manage services and scheduled tasks on Windows Agentless endpoints. Discovering service accounts lets you create multiple service accounts in CA Access Control Enterprise Management at the same time and assign password consumers to the service accounts. If you do not want to create password consumers for the service account, use the Create a Privileged or Service Account task to create the service account.

Note: To discover privileged accounts, use the Discover Privileged Accounts Wizard.

The Discover Service Accounts Wizard does not discover all the services on the endpoint. It discovers only services run by accounts for which you can change the password. For example, CA Access Control Enterprise Management discovers services that are run by your computer's Administrator account or domain accounts, but does not discover services that are run by the NT AUTHORITY\Local Service account.

To discover service accounts

1. (Optional) To discover service accounts that are domain accounts, verify that the domain controller (DC) on which the accounts exist is defined in CA Access Control Enterprise Management with the following attributes:
   • Endpoint type—Windows Agentless
   • Is Active Directory—True
   • Host Domain—The domain name of which the DC is a member
   • User Domain—The domain name of which users defined on the DC are members

     Note: Specify the user domain only if the administrative account is from a different domain than the domain in which the accounts reside.

   The Discover Service Accounts Wizard can now discover service accounts that are domain accounts.

2. In CA Access Control Enterprise Management, select Privileged Accounts, Accounts, Discover Service Accounts Wizard.

   The Discover Service Accounts Wizard window opens.

   Note: The value of the Endpoint Type field is Windows Agentless because PUPM manages service accounts only on Windows Agentless endpoints.

3. Select an attribute for the search, type in the filter value, and click Search.

   A list of service accounts that match the filter criteria appears, and a list of Windows services and scheduled tasks that use the service accounts. If the wizard discovers an account from an unknown domain, a warning message appears.

   Note: The process may take some time to complete. The services and scheduled tasks are listed in the Password Consumer column. The icons in this column let you see at a glance which password consumers are services and which are scheduled tasks.

4. Select the services and scheduled tasks that you want to use password consumers to manage, then click Next.

   The General Account Properties window appears.

5. Select the password policy to assign to the services and scheduled tasks, then click Next.

   The Summary window appears.

6. Review the summary then click Finish.

   CA Access Control Enterprise Management submits the task and adds the service accounts if there are no errors. After CA Access Control Enterprise Management adds the service account, it automatically creates a password consumer for each service and scheduled task that you selected. You can use the appropriate password consumer task to view and modify the password consumers.