In many environments, the same domain administrator account can be found linked to Windows Services all over the place for all kinds of reasons, and these need to be found and replaced.
Then there are times when you need to reset the password for a service account, but are not sure where it’s being used. The following scripts will assist with these dilemmas.
To find all servers with services running with a service account the first script below uses the Active Directory PowerShell modules to get all servers, then individually queries each server for all services that are not running with the “NT Authority” or “LOCALSYSTEM” accounts (which should just leave custom service accounts).
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
import-module activedirectory; $servers = get-adcomputer -filter {operatingsystem -like "*server*"}; foreach ($server in $servers) { $services = $null; $services = gwmi win32_service -computer $server.name -ErrorAction SilentlyContinue | where {($_.startname -notlike "*nt authority*") -and ($_.startname -ne "localsystem")}; if ($services -ne $null) { foreach ($service in $services) { write-host $server.name - $service.caption - $service.startname; } } } |
To find all servers with services running with a specific service account the script from above has been modified to now search for services running with the “sql.service” service account (which can easily be modified to any account name).
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
import-module activedirectory; $servers = get-adcomputer -filter {operatingsystem -like "*server*"}; foreach ($server in $servers) { $services = $null; $services = gwmi win32_service -computer $server.name -ErrorAction SilentlyContinue | where {($_.startname -like "*sql.service*")}; if ($services -ne $null) { foreach ($service in $services) { write-host $server.name - $service.caption - $service.startname; } } } |
This has helped so much!
Possible to add code to search in multiple domain (or allow me to specify other domains or even a forest?)
Possible to add code to export of returned info to a .csv file?
Thank you!
The easiest way to get the data into a CSV, is to:
1) remove the write-host line.
2) replace that line with these two lines:
$out = $server.name + "," + $service.caption + "," + $service.startname;$out >> c:\temp\results.csv;
So im using this to see what constantly is locking out one of our service accounts.
is there a was to see if the account is used anywhere? not just as a service
Yes – you should start by looking at the Security Event logs for failed logon attempts.
Thanks for the code.
gwmi : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
This is likely due to Windows Firewall blocking it, but could also just be a general permissions problem if you’re not an administrator of the server you’re trying to connect to.