Privileged Access Management · Training Series

Service Account
Discovery & Management

A comprehensive guide to identifying, managing, and securing human and non-human accounts using Secret Server and CID Discovery.

Secret Server CID Discovery Human Accounts Non-Human Accounts
MODULE PROGRESS
0%
01
Why Service Account Discovery Matters
Understanding the foundations of account management in modern enterprise environments.
⚠️
The Hidden Risk
Organizations often have hundreds of unmanaged service accounts operating across their infrastructure. These accounts — whether human or non-human — represent one of the largest attack surfaces in any enterprise environment.
🔍
Discover Hidden Accounts
Automatically scan your environment to surface both managed and unmanaged accounts across domains, systems, and cloud platforms.
🔐
Centralize Control
Bring all service accounts under a single management plane — eliminating shadow IT and reducing credential sprawl.
♻️
Automate Rotation
Replace manual password management with automated rotation policies, removing human error and ensuring compliance.
📋
Audit & Compliance
Maintain a continuous, up-to-date record of every account in your infrastructure, satisfying audit requirements and reducing risk exposure.
🛡️
Reduce Attack Surface
Identify dormant, orphaned, and overprivileged accounts before attackers exploit them — part of a zero-trust strategy.
🤖
Non-Human Identity Security
Govern machine-to-machine credentials — API keys, service tokens, certificates — with the same rigor applied to human identities.

Key Terminology

Service Account
A non-interactive account used by applications, services, or automation scripts to authenticate and access resources.
Human Account
A credential associated with an individual person, used interactively for system access and privileged operations.
Non-Human Identity (NHI)
Machine identities including service accounts, API keys, tokens, certificates, and other automated credentials.
Discovery
The process of scanning networks, directories, and endpoints to identify and catalog all accounts in an environment.
Orphaned Account
An account with no active owner — often left behind after employee departure or system decommission — presenting high risk.
Credential Sprawl
The uncontrolled proliferation of credentials across systems, making tracking and rotation unmanageable.
02
Human vs. Non-Human Accounts
Understanding the differences and management strategies for each account type.
ℹ️
Two Worlds, One Platform
Secret Server Discovery and CID Discovery are designed to handle both human accounts (administrators, privileged users) and non-human accounts (service accounts, APIs, bots) within a unified management framework.
Characteristic Human Accounts Non-Human Accounts
Authentication Type Interactive login (MFA, SSO) Automated, key-based, or token-based
Rotation Cadence User-driven or policy-enforced Fully automated via Secret Server
Ownership Named individual Application, process, or team
Risk Profile Insider threat, phishing, shared creds Hard-coded creds, token theft, orphaned
Discovery Method Active Directory, LDAP scans Process scanning, API enumeration, CID
Lifecycle Management HR system integrated Application lifecycle dependent
Secret Server Support ✓ Full discovery & vault ✓ Full discovery & rotation
CID Discovery ✓ Identity correlation ✓ Deep NHI enumeration

Account Types — Deep Dive

Human Privileged Accounts Human
  • Domain administrator accounts with elevated Active Directory privileges
  • Local administrator accounts on servers, workstations, and endpoints
  • Database administrator (DBA) accounts with full database access
  • Emergency/break-glass accounts used during outages or incidents
  • IT operator accounts with elevated system management capabilities
  • Named shared accounts used by teams (e.g., helpdesk@domain)
Non-Human / Service Accounts Non-Human
  • Windows service accounts running system services (IIS, SQL Server, etc.)
  • Scheduled task accounts executing automated scripts and batch jobs
  • Application service accounts connecting apps to databases or directories
  • API service accounts authenticating integrations between systems
  • DevOps pipeline credentials (CI/CD, deployment automation)
  • Cloud service principals (Azure, AWS, GCP workload identities)
  • IoT and embedded device credentials
High-Risk Account Patterns Risk
  • Accounts with passwords that never expire (PNE flag set)
  • Orphaned accounts with no current owner or responsible team
  • Shared credentials used by multiple users simultaneously
  • Hard-coded credentials embedded in application code or config files
  • Accounts with excessive privileges beyond minimum required
  • Dormant accounts inactive for 90+ days but still enabled
  • Service accounts with interactive logon rights (unnecessary privilege)
03
Secret Server Discovery
Automated scanning, vaulting, and lifecycle management for all account types.
🌐
Network Scanning
Agentless scanning of IP ranges, Active Directory OUs, and Windows domains to identify all active accounts and endpoints.
🗂️
AD Integration
Deep LDAP/Active Directory integration discovers user accounts, service accounts, computer objects, and group memberships.
⚙️
Service Account Detection
Identifies Windows services, scheduled tasks, IIS app pools, and COM+ applications running under service credentials.
🔄
Automated Rotation
Policy-driven password rotation with dependency awareness — automatically updates all services that use a rotated credential.
📦
Secret Vaulting
Discovered accounts are imported into the encrypted vault with role-based access, full audit trails, and session monitoring.
📡
Continuous Monitoring
Scheduled discovery runs ensure new accounts are detected quickly and policy drift is flagged for remediation.

Discovery Sources Supported

Active Directory / LDAP Directory
  • Scans all OUs (Organizational Units) within a domain forest
  • Enumerates user accounts, service accounts, and computer objects
  • Identifies accounts with password-never-expires flag
  • Detects accounts with Kerberos delegation settings
  • Maps group memberships to identify admin and privileged users
  • Supports multi-domain and multi-forest environments
Windows Endpoints & Servers Windows
  • Local administrator accounts on domain-joined machines
  • Windows services and their associated service account credentials
  • Task Scheduler jobs running under specific user credentials
  • IIS Application Pool identities across all web servers
  • COM+ Component Services application identities
  • Registry and configuration file scanning for embedded credentials
Unix / Linux Systems Linux
  • Local user account enumeration via SSH-based discovery
  • Root and sudo privilege mapping across systems
  • Service daemon account identification (www-data, postgres, etc.)
  • SSH key pair discovery and management
  • Cron job user context analysis
  • Support for AIX, HP-UX, Solaris alongside Linux distributions
Database Platforms Database
  • Microsoft SQL Server: logins, database users, and linked server credentials
  • Oracle Database: user accounts, roles, and proxy authentication
  • MySQL / MariaDB: user host combinations and privileges
  • PostgreSQL: roles, schemas, and pg_hba.conf mapping
  • Sybase and IBM DB2 support via extensible connectors
💡
Pro Tip: Discovery Scanners
Secret Server uses lightweight distributed discovery scanners (site connectors) that can be deployed in segmented network zones, DMZs, or cloud VPCs — ensuring comprehensive coverage without opening unnecessary firewall rules to your core PAM server.
04
CID Discovery
Cloud Identity Discovery — extending visibility into cloud-native and hybrid identity environments.
☁️
What is CID?
CID (Cloud Identity Discovery) extends the traditional on-premises discovery model to cloud environments, discovering identities across Azure AD, AWS IAM, Google Cloud IAM, and SaaS applications — bridging the gap between legacy and modern infrastructure.
☁️
Cloud-Native Discovery
Natively integrates with Azure AD, AWS IAM, GCP IAM to enumerate service principals, roles, managed identities, and workload credentials.
🔗
Identity Correlation
Correlates cloud identities with on-premises accounts to give a unified view of every user and service account across hybrid environments.
🎭
Shadow IT Detection
Surfaces unauthorized cloud resources and identities created outside of approved provisioning processes — reducing blind spots.
📊
Risk Scoring
Applies risk scoring to discovered identities based on privilege level, last activity, MFA status, and policy compliance gaps.
🔑
API Key & Token Management
Discovers and manages API keys, OAuth tokens, and service account credentials used across cloud platforms and SaaS tools.
📈
Continuous Drift Detection
Monitors for configuration drift, privilege escalations, and new unmanaged accounts created since the last scan cycle.

CID vs Secret Server Discovery: When to Use Each

Scenario Secret Server Discovery CID Discovery
On-prem AD accounts ✓ Primary tool Supplemental
Windows service accounts ✓ Primary tool Not applicable
Azure AD service principals Limited ✓ Primary tool
AWS IAM roles & users Limited ✓ Primary tool
Hybrid identity correlation On-prem side ✓ Full correlation
SaaS application accounts Via launchers ✓ Native support
API key discovery Limited ✓ Primary tool
Password rotation ✓ Full automation ✓ Cloud-native rotation
CID: Non-Human Identity Features NHI
  • Discovers machine identities: certificates, SSH keys, OAuth clients, and API tokens
  • Maps NHI relationships — which app uses which credential for which target
  • Identifies credentials approaching expiration before they cause outages
  • Flags overprivileged service principals violating least privilege
  • Detects unused machine identities that should be decommissioned
  • Integrates with Delinea Platform for unified NHI governance
05
Discovery-to-Management Workflow
A step-by-step walkthrough of the complete account management lifecycle.

Secret Server — Discovery Pipeline

Step 01
Configure Discovery Source
Step 02
Run Network Scan
Step 03
Review Discovered Accounts
Step 04
Import to Vault
Step 05
Apply Policies
Step 06
Monitor & Rotate

CID — Cloud Identity Pipeline

Step 01
Connect Cloud Tenant
Step 02
Enumerate Identities
Step 03
Risk Score Accounts
Step 04
Correlate with On-Prem
Step 05
Remediate & Govern

Operational Best Practices Checklist

Check each item as you complete it. Progress is tracked locally in your session.

Define discovery scope — identify all Active Directory domains, OUs, and IP ranges to scan
Create a dedicated discovery service account with minimum required read-only permissions
Deploy distributed scanners (site connectors) in all network segments requiring discovery
Configure discovery schedules — at minimum weekly full scans with daily delta scans
Set up import rules to auto-create secrets for discovered accounts meeting defined criteria
Assign ownership — every vaulted account must have a responsible team or individual
Configure automated rotation policies for all service accounts with dependency mapping
Connect cloud tenants (Azure, AWS, GCP) to CID for non-human identity visibility
Review and remediate all accounts flagged as orphaned, stale, or overprivileged
Enable real-time alerting for new unmanaged accounts detected outside the vault
06
Knowledge Check
Test your understanding of service account discovery and management concepts.
Question 1 of 6