Wednesday, December 12, 2007

Script to Audit Service Accounts

Although it is not a good practice to use domain Administrator as a service account, it is still very likely to find such implementations in many organizations. In addition, even if administrator is not used, the same service account can be in use on multiple servers and for multiple services. If there's no document or database available in your environment to keep track of these service accounts, you are in trouble. And if for some reason you need to change the password of these service accounts, you have to know which servers and which services will be affected with the password change.

The script addresses this need. It scans the given list of servers and tries to find a match for the provided keyword in the service accounts. Any matching service and computer name is logged and displayed on the screen. You can use the output file as a reference for updating the passwords. Script does not provide any password change functionality.

Usage:

cscript q_svc.vbs filename keyword

For example:

cscript q_svc.vbs serverlist.txt mydomain\adm

or

cscript q_svc.vbs serverlist.txt svcadmin@mydomain.local


Since the script uses string functions, for example, "mydomain\adm" search will catch both "mydomain\admin" and "mydomain\administrator" accounts if they exist.

You have to be careful and remember that service accounts sometimes are stored in UPN (username@domain) format. If you do a search for "mydomain\adm" only, you will miss the entries like administrator@mydomain.local. On the other hand, a search with the keyword "admin" will catch both type of entries.

To download the script and sample serverlist.txt file, click on "I agree", you will be forwarded to the download site. Modify and populate the serverlist.txt file with your server names, decide on the keyword to search for, then start the script. Test it and if you have any ideas or questions regarding this script, feel free to contact me using the comment link.

Update to the Post:
Somehow, the old free file hosting company decided that these utility scripts cause "abuse/copyright violations" and decided to remove them. Instead of trying to convince them that these scripts belong to me and has nothing to do with abuse, I simply moved them over to another (and better) file hosting service. Sorry for the inconvenience, and thanks for warning me about the dead links.
Another Update to the Post:
Thanks to Mark Vaughn, I realized that the script was not working as intended. I had to change the search logic a little bit. Instead of using queries with "like" on Windows 2003 systems, it checks each service for the given keyword now. I apologize for any inconvenience I might have caused with the previous version.
 

11 comments:

Anonymous said...

Where do I need to edit the script to search for a specific user account that is being used for running service accounts? Thanks.

Ilker Aydin said...

The script does not need to be edited. All you need is to decide what kind of keyword you wish to search. If the service account name you're looking for is "JohnS" for example, you can run the script with the following command line:
"cscript q_svc.vbs serverlist.txt JohnS". Alternatively, if you run the script with "cscript q_svc.vbs serverlist.txt John" command, it will find all service accounts which include "John" in them. It's up to you to pick which "keyword" to search for. Hope this answers your question.

Anonymous said...

This script is fantastic! I was handed a project to clean up our Active Directory of unwanted service accounts. We had no idea what some of our accounts were doing. I was able to run it on our member servers to identify each service accounts role. Big Thanks!

Ilker Aydin said...

I am glad to hear I was able to help.

Anonymous said...

Fantastic script.... works spot on

Anonymous said...

Just like to add.. I've taken on an identical clean up task and short of auditing account logons and crunching a lot of data, this script it pure magic. Thank you so much from many engineers that are likely to use this but too lazy to post the feedback... of which I have to admit I am generally one.. but this was just so great I had to take the time! Thanks again.

Anonymous said...

Just what I needed. Thank you for sharing your knowledge and experience!

Anonymous said...

A great script that will save many hours. Thanks for sharing it.

Ramaan said...

Hi,

Will this script find all service account if no keyword....

Anonymous said...

Thanks for this script. It was very helpful in auditing which domain accounts are used as service accounts in our organisation.

Regards

Scott Cummings

Anonymous said...

This is a superhelpful tool! I have one suggestion though. Instead of looking for user by user, can it be rewritten to instead look for any user that is not local service or network service? That way, you get a server by server dump of ALL services using non std windows accounts.