We recommend that you run the privileged accounts discovery process at fixed intervals to scan for new privileged accounts on the endpoints. Discovering privileged accounts lets you create multiple privileged accounts at the same time. CA ControlMinder Enterprise Management presents the accounts that it discovers in a table, so that you can easily tell which accounts you already manage with SAM.
The first time that you discover privileged accounts on an endpoint type, CA ControlMinder Enterprise Management automatically creates an endpoint privileged access role for using privileged accounts on that endpoint type. For example, the first time you discover privileged accounts on a Windows Agentless endpoint, CA ControlMinder Enterprise Management automatically creates the Windows Agentless Connection endpoint privileged access role.
Follow these steps:
The Discover Privileged Accounts Wizard: Select Privileged Accounts page appears.
A list of endpoints that match the filter criteria appears.
The following table column headings are not self-explanatory:
Specifies whether the account is already known to CA ControlMinder Enterprise Management. Known accounts include ones that CA ControlMinder Enterprise Management already manages and the administrator account CA ControlMinder Enterprise Management uses to manage the endpoint.
Specifies whether CA ControlMinder Enterprise Management uses the account to manage the endpoint.
Important! Be cautious when selecting the endpoint administrator account. CA ControlMinder Enterprise Management can automatically change the password of privileged accounts it manages. If you select the endpoint administrator account, you may lose the ability to log in and manage privileged accounts on the endpoint.
Click Next.
The Discover Privileged Accounts Wizard: General Account Details page appears.
Specifies whether the account originates from a disconnected system.
If you select this option, SAM does not manage the account. Instead, it acts only as a password vault for privileged accounts of the disconnected system. Every time you change the password, you also need to manually change the account password on the managed endpoint.
Specifies the password policy you want to apply to the privileged or service account.
Defines the duration, in minutes, before the checked out account expires.
Specifies whether only a single user can use the account at any one time. An exclusive account is a restriction imposed on a privileged account that limits use of the account to a single user at a time.
Exclusive Session specifies that only a single user can use the account, if no open sessions are currently running on the endpoint.
Specifies whether you want CA ControlMinder Enterprise Management to change the password of the privileged account every time it is checked out.
Note: This option does not apply to service accounts.
Specifies whether you want CA ControlMinder Enterprise Management to change the password of the privileged account every time it is checked in by a user or a program, or when the checkout period expires.
Note: If the account is not exclusive, CA ControlMinder Enterprise Management generates a new privileged account password only when all users have checked in the account.
Note: This option does not apply to service accounts.
Specifies whether the discovered account is a service account.
Note: You can also use the Discover Service Accounts Wizard to discover service accounts.
Click Finish.
CA ControlMinder Enterprise Management submit the task and creates the selected privileged accounts if there are no errors.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|