Creating an alternative account discovery profile

Creating a profile allows you to specify a filter pattern for identifying the alternative accounts in Active Directory. After the profile is created, you can optionally delegate permissions to additional users and roles to manage the profile. See Assigning alternative accounts profile management permissions.

To create an alternative account discovery profile:

  1. Log in the Admin Portal.
  2. Click Discovery > Profiles > Add Profile button.

    3. The Settings page opens.

  3. Provide the following information on the Settings page:
    1. Enter a Name for the profile.
    2. (Optional) Enter a profile description.
    3. Enter the user name pattern for the alternative account to be searched into the User Name Matching Pattern field.

      4. Privileged Access Service uses a name pattern and searches for the same account name to discover the alternative account. The word “owner” contained within curly brackets {} is reserved to represent a username. For example, {owner}-a means we will find all accounts ending with -a, such as john01-a or mary.smith-a; with john01 or mary.smith being the alternative account and Centrify would search for owners with the name john01 or mary.smith (the {owner} part of the pattern). However, the word “owner” without the curly brackets can be used legitimately; for example, owner-{owner}-a is an acceptable filter.

      Use the vertical bar “|” to specify multiple patterns. You cannot use the wildcard character to discover all the alternative accounts in the domain.

    4. Select the domains for which you want to discover the alternative accounts.

      5. We search for alternative accounts within the specified domain(s) and Active Directory Organization Units (OUs). We search all the forests that have a Centrify Connector installed (with Active Directory proxy enabled) for the owner accounts.

    5. (Optional) Select the “Filter by Active Directory Groups” check box and click Add to specify the Active Directory groups within your selected domains to discover the alternative accounts.

      The alternative accounts found in a particular domain are filtered by the Active Directory groups that belong to the same domain.

  4. Click Save.

We show the newly created profile with the Ready status in addition the following information on the Profiles page.

Field Name Description
Last Run Date and time the profile was run.
Elapsed Time Time it took to run the profile.
Status

Profiles can have the following statuses:

  • Starting –- You have started the discovery process on the profile.
  • Ready –- Profile is configured and ready for discovery.
  • Discovering Accounts -- Alternative accounts are being discovered.
  • Discovering Owners -- Owner accounts are being discovered.
  • Saving -- Saving the results.