Discovering alternative accounts
You can use Centrify Privileged Access Service to discover alternative accounts in Active Directory (typically a higher-access or privileged account such an administrative account), associate them with the relevant owner accounts (the non-privileged account), and log-in to the alternative accounts using your non-privileged accounts. For example, system administrators typically have several accounts, a user account for general log-ins and an administrative account to access specific systems and services. You can automatically add these administrative accounts (referred to in general as “alternative accounts”) to Privileged Access Service and we manage the password generation for these accounts. You can then log-in to the administrative account using the general account. Alternative accounts to be discovered and the owner accounts need to be in Active Directory.
The alternative accounts can have permanently-assigned group memberships that grant privilege (e.g. Domain Admins, Local Administrators). These accounts can also use DirectAuthorize for privilege elevation.
The procedures for discovering alternative accounts and Privileged Access Service management of these accounts include:
- Creating an alternative account discovery profile
- Assigning alternative accounts profile management permissions
- Running an alternative accounts profile
- Assigning or re-assigning owners for alternative accounts
- Committing alternative accounts
The History page allows you to view activity for previous and current discovery jobs. You can use the History page to learn more about the items added to the privileged access service.
Before you start creating a profile to discover alternative accounts, make sure you have met the following requirements:
- The relevant domains must also have administrative accounts configured. See Setting domain administrative accounts.
- The domains for which you want to discover the alternative accounts must have the “Enable automatic account maintenance using administrative account” policy enabled (Resources > Domains > Select the relevant domain > Policy). This policy is required for Privileged Access Service to manage the alternative accounts.
- The alternative account used to run a service should have automatic password rotation enabled. See Automating password rotation for more information.