Creating an Active Directory discovery profile

You create an Active Directory discovery profile to probe Windows and UNIX computers, servers, and workstations. A discovery profile identifies the type of systems you want to locate on your network and add to the Zero Trust Privileged Access Service. After you configure the details for the discovery profile, you can use the profile to run a discovery job immediately or schedule the discovery job.

You can also create multiple discovery profiles to look for computers, domains, services, and accounts that match different criteria. For example, you might create separate discovery profiles to look for Windows servers and UNIX workstations.

Active Directory discovery uses the connectors specified on the Admin Portal > Resources > Domains > select the relevant domain > Connectors page.

To create an Active Directory discovery profile:

  1. Log in to Admin Portal.
  2. Click Discovery > Profiles in the Systems area.
  3. Click Add Profile and type a unique name for the new discovery profile.
  4. Type an optional description for the profile.
  5. Confirm that the Active Directory is selected for the discovery method.
  6. Click the Select button to select the domain account for discovering systems and accounts in the specified domains.
  7. The Select Account window opens.

    1. Start typing part of the account name to search for and select an existing account with read permissions and local administrator permissions on the computers to be discovered.
    2. The account you specify must have the Privileged Access Service Administrator administrative right to successfully discover computers, domains, services, and accounts on the network.

    3. Click the Select button at the bottom of the window.
  8. Review the list of domains to be searched and select at least one domain.
  9. The discovery profile displays the domains and sub-domains found in Active Directory as candidates for discovery. Only domains that are automatically synced with an active connector are available for discovery.

  10. (Optional) Click Add in the Group Membership area to specify the Active Directory group in which you want to discover.
  11. Review the list of filter options and modify the filters to be used as needed.
  12. For example, if you only want to discover Windows servers, you would select the Windows Computers and Servers filters. For Windows computers, the operatingSystem attribute determines whether the computer is a server or workstation. If you are discovering UNIX and Linux computers joined to the domain, the Centrify license type determines whether the computer is identified as a server or a workstation.

    Note that only computers that are active—with a computer account password that has been changed in the last 14 days—are candidates for discovery. Computers objects that are disabled or inactive are ignored.

    Systems already imported are not overwritten on subsequent discoveries.

  13. Click Save.