Finding Service Accounts Using PowerShell | Quisitive
Finding Service Accounts Using PowerShell
February 1, 2013
Quisitive
Need help finding service accounts using PowerShell?

This week I’m working on an Active Directory Assessment project. One of my client’s concerns is that they have a couple of shared user accounts that they would like to disable to increase accountability within the IT team. However, the accounts have been around a long time, and they aren’t sure what services might be running under them.

The client’s Active Directory is running on Windows 2008 R2, so that means we have access to the Active Directory PowerShell module. Now all we have to do is combine the Get-ADComputer CMDlet with the Get-WMIObject CMDlet in order to retrieve this information:

Edit the below variable to input the name of the account that you want to find services logging on as

$Account="Test"

#-----------------------------------------------------#

#Imports the Active Directory PowerShell module

Import-Module ActiveDirectory 

# Gets all servers in the domain

$servers=Get-ADComputer -Filter {OperatingSystem -Like "Windows *Server*"} -property * 

# For Each Server, find services running under the user specified in $Account

ForEach ($server in $servers){

$Services=get-wmiobject win32_service | where-object {$_.StartName -like "*$Account*"} 

# List the services running as $account in the powershell console

# If there are no services running under $account, output this to the console.

If($Services -ne $null){

Write-host $Services

}

Elseif ($Services -eq $null){

Write-Host "No Services found running under $Account on Server $server"

} 

}

#-----------------------------------------------------#

#End

Works like a charm. The script will output either text for each server in the list stating that no services running under that account were found, or it will output the path to the service running under the specified account.