In our last post we discussed importing secrets manually into Secret Server using our Migration Tool and built in CSV and XML import. This week we are going review how to automatically import credentials into Secret Server.
Discovery in Secret Server
Discovery is a major feature in Secret Server with two main functions:
- Scan your network for local Windows accounts and import them as Secrets. With Discovery Rules, this process can be automated to run on a schedule, and new accounts will be imported based on a set parameters that you establish.
- Scan your network and pull in Windows services, attaching them as dependencies to current Secrets or creating new Secrets based on the particular account running the service.
How to Set Up Discovery
Setting up Discovery is simple.
- On the Administration>Discovery page, check the box enabling Discovery.
- Set the interval that you want Discovery to perform scans of the domain.
- Create a domain for Discovery to run against: on Administration>Discovery, click Edit Domains and then click Create New. Here you will enter the Fully Qualified Domain Name. Use an account that has access to all the machines you would like to discover and the ability to change the passwords for those accounts.
- Check the Enable Discovery box for the new domain and then click Save and Validate. Secret Server will confirm that it can reach your domain.
Once Discovery is turned on, it will start running scans throughout the network. This occurs in batches so as to not bog down your network.
Import Accounts using Discovery
- When the scans finish, click Discovery Network View on the Administration>Discovery page.
- You will see two tabs, one for local Windows accounts and another for service accounts. This page enables you to find the accounts you would like to import. It allows you to filter computers based on organizational unit (OU) and search for specific computers and accounts.
- Check the accounts you wish to import and click the import button. Secret Server will automatically create a Secret for each. You also have the option of changing the passwords for the accounts when the Secrets are created.
Using the API to Create Secrets
The final method of importing Secrets is to use our API to programmatically create the Secrets. The Secret Server API allows basic functions to be performed on Secrets, such as creating, deleting or modifying.
The API is especially useful when you have an existing script that already provisions accounts. Secret Server provides web service API calls that can be added to your existing script in order to create Secrets after your new accounts are provisioned.
After Secrets are imported, the API can also be used if you have third party applications that need credential access (i.e. the API can then be used to programmatically provide credentials stored in Secret Server). The API is also good for updating existing Secrets. For example, if your domain name has changed, you can use the API to quickly update all applicable Secrets to match the new domain.