Previous Topic: Creating a Windows Agentless EndpointNext Topic: Create a Password Consumer


Discover Privileged Accounts

We recommend that you run the privileged accounts discovery process at fixed intervals to scan for new privileged accounts on the endpoints. Discovering privileged accounts lets you create multiple privileged accounts at the same time. CA ControlMinder Enterprise Management presents the accounts that it discovers in a table, so that you can easily tell which accounts you already manage with SAM.

The first time that you discover privileged accounts on an endpoint type, CA ControlMinder Enterprise Management automatically creates an endpoint privileged access role for using privileged accounts on that endpoint type. For example, the first time you discover privileged accounts on a Windows Agentless endpoint, CA ControlMinder Enterprise Management automatically creates the Windows Agentless Connection endpoint privileged access role.

Follow these steps:

  1. In CA ControlMinder Enterprise Management, click Privileged Accounts, Accounts, Discover Privileged Accounts Wizard.

    The Discover Privileged Accounts Wizard: Select Privileged Accounts page appears.

  2. Select the Endpoint Type from the list.
  3. Select an attribute for the search, type in the filter value, and click Search.

    A list of endpoints that match the filter criteria appears.

  4. Select the privileged accounts that you want to manage.

    The following table column headings are not self-explanatory:

    Discovered Account

    Specifies whether the account is already known to CA ControlMinder Enterprise Management. Known accounts include ones that CA ControlMinder Enterprise Management already manages and the administrator account CA ControlMinder Enterprise Management uses to manage the endpoint.

    Is Endpoint Administrator

    Specifies whether CA ControlMinder Enterprise Management uses the account to manage the endpoint.

    Important! Be cautious when selecting the endpoint administrator account. CA ControlMinder Enterprise Management can automatically change the password of privileged accounts it manages. If you select the endpoint administrator account, you may lose the ability to log in and manage privileged accounts on the endpoint.

    Click Next.

    The Discover Privileged Accounts Wizard: General Account Details page appears.

  5. Complete the fields in the dialog. The following fields are not self-explanatory:
    Disconnected System

    Specifies whether the account originates from a disconnected system.

    If you select this option, SAM does not manage the account. Instead, it acts only as a password vault for privileged accounts of the disconnected system. Every time you change the password, you also need to manually change the account password on the managed endpoint.

    Password Policy

    Specifies the password policy you want to apply to the privileged or service account.

    Check out Expiration

    Defines the duration, in minutes, before the checked out account expires.

    Exclusive Account

    Specifies whether only a single user can use the account at any one time. An exclusive account is a restriction imposed on a privileged account that limits use of the account to a single user at a time.

    Exclusive Session specifies that only a single user can use the account, if no open sessions are currently running on the endpoint.

    Change Password on Check Out

    Specifies whether you want CA ControlMinder Enterprise Management to change the password of the privileged account every time it is checked out.

    Note: This option does not apply to service accounts.

    Change Password on Check In

    Specifies whether you want CA ControlMinder Enterprise Management to change the password of the privileged account every time it is checked in by a user or a program, or when the checkout period expires.

    Note: If the account is not exclusive, CA ControlMinder Enterprise Management generates a new privileged account password only when all users have checked in the account.

    Note: This option does not apply to service accounts.

    Service Account

    Specifies whether the discovered account is a service account.

    Note: You can also use the Discover Service Accounts Wizard to discover service accounts.

    Click Finish.

    CA ControlMinder Enterprise Management submit the task and creates the selected privileged accounts if there are no errors.