In many companies, systems administrators have setup user accounts for services to run under. These services run on systems and the accounts are quickly forgotten until something changes and the passwords for these accounts need to be changed. Then comes the task of finding where the account is used.
Having been faced with this, I wrote a simple PowerShell script that will connect to your Active Directory, find your servers and then tell you which services on those servers are running with a service account.
This script does have the prerequisite that you install the Quest AD Cmdlets. You can download them from here: https://www.oneidentity.com/products/active-roles/activeroles-server.aspx.
NOTE: While this script doesn’t modify anything, it is not recommended to run this against your production environment without testing it first against a lab.
######################################################################
#
# Get-Service Accounts
# Written by Adam Ball
# Version 2.0
#
######################################################################
#Verify that the Quest AD Cmdlets are loaded
If ( ( Get-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue) -eq $null ){
Add-PSSnapin Quest.ActiveRoles.ADManagement
}
# Get the list of servers from Active Directory
$servers = get-qadcomputer | where { $_.OSName -match “Server”} | sort Name
# Set the live computers array
$livecomputers = @()
# Get Credentials for connecting to servers as a Domain Admin
$cred = Get-Credential
# Check each server to make sure it is up.
foreach ($x in $servers) {
$up = Test-Connection -Count 1 -ComputerName $x.Name -ErrorAction SilentlyContinue
if ( $up -ne $null){ $livecomputers += $x.name }
}
# Main Function – Using WMI, check each service and find any service that is using a non-standard account
foreach ($machine in $livecomputers){Write-Output “Machine – $machine”
gwmi win32_service -computer $machine -Credential $cred | where {$_.StartName -ne “LocalSystem”}|where {$_.StartName -ne “NT AUTHORITYLocalService”} | where {$_.StartName -ne “NT AUTHORITYNetworkService”} | `
where {$_.StartName -ne “Local System”}|where {$_.StartName -ne “NT AUTHORITYLocal Service”} |where {$_.StartName -ne “NT AUTHORITYNetwork Service”}|ft Name,StartName }
Adam Ball, PEI
I receive an error when running the script:
PS C:Temp> .testps.ps1
The string starting:
At C:Temptestps.ps1:24 char:437
+ foreach ($machine in $livecomputers){ Write-Output “Machine – $machine” gwmi win32_service -computer $machine -Credential $cred | where {$_.StartName -ne “LocalSystem”} | where {$_.StartName -ne “NT AUTHORITYLocalService”} | where {$_.StartName -ne “NT A
UTHORITYNetworkService”} | where {$_.StartName -ne “Local System”} | where {$_.StartName -ne “NT AUTHORITYLocal Service”} | where {$_.StartName -ne “NT AUTHORITYNetwork Service <<<< "} | ft Name,StartName }
is missing the terminator: ".
At C:Temptestps.ps1:24 char:461
+ foreach ($machine in $livecomputers){ Write-Output "Machine – $machine" gwmi win32_service -computer $machine -Credential $cred | where {$_.StartName -ne "LocalSystem"} | where {$_.StartName -ne "NT AUTHORITYLocalService"} | where {$_.StartName -ne "NT A
UTHORITYNetworkService"} | where {$_.StartName -ne "Local System"} | where {$_.StartName -ne "NT AUTHORITYLocal Service"} | where {$_.StartName -ne "NT AUTHORITYNetwork Service"} | ft Name,StartName } <<<<
+ CategoryInfo : ParserError: (} | ft Name,StartName }:String) [], ParseException
+ FullyQualifiedErrorId : TerminatorExpectedAtEndOfString
How can this script be modified to output to a file?
use below script to send output to text file:
foreach ($machine in $livecomputers){Write-Output “Machine – $machine”
$r +=(gwmi win32_service -computer $machine -Credential $cred | where {$_.StartName -ne “LocalSystem”}|where {$_.StartName -ne “NT AUTHORITYLocalService”} | where {$_.StartName -ne “NT AUTHORITYNetworkService”} | `
where {$_.StartName -ne “Local System”}|where {$_.StartName -ne “NT AUTHORITYLocal Service”} |where {$_.StartName -ne “NT AUTHORITYNetwork Service”}|ft Name,StartName) }
$r | Out-File c:\scripts\test.txt