?
Solved

Finding if Service Accounts are in use

Posted on 2011-02-21
11
Medium Priority
?
345 Views
Last Modified: 2012-05-11
Hello,

We are retiring one AD domain to move to another. We are in the process of migrating users and I was appointed the task of finding out if service accounts are still in use on the domain. I was told I could use EventcombMT to search DC logs to try and find out if they are in use and what for. I tried running it by checking the security log for success audit and failure audit, and in the text field I put the service account name. I am getting zero results.

Does anyone have any suggestions on using EventcombMT to find this information? I have no background in scripting so that is not an option. I also only have access to free tools. Any advice would be helpful. Thanks.
0
Comment
Question by:SteveAD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
11 Comments
 
LVL 44

Accepted Solution

by:
Amit earned 2000 total points
ID: 34943923
First of all service account and user account are same thing. The only difference with service account is, we change few settings. Like Password never expires.

The one option to find which account is working is to check with the application owners, who are using them

Second option is to check the lastlogon stamp.

Now the problem here is normally people configure the application with service account and don't logon for long time. Which again makes it diffcult to tarce them down.

Only way is to do it manually,

First check what are the accounts set with password never expires.
Check with the application team about those account, if they are using it or not
Once you have all above information, you can disable the suspected account and few weeks and see if any issue persist.

All above require manaul work and there is no shortcut to that, as service accounts are configured according to ur requirement

hope this helps
0
 

Author Comment

by:SteveAD
ID: 34944210
Thanks amitkulshrestha, the lastlogon stamp was one of my first ideas also. However, I was told that the last logon stamp is the last interactive login, not the last use of the account. The guy who assigned this task to me said that accounts used for services and applications don't update the login stamp. So he said I should try to search DC logs and that's where he said to use EventcombMT.

We have 180 service accounts on this list I have. Some of them I can contact the application teams, others, (that don't have much information) I'm stuck trying to search DC logs I guess.

Anyone have any other suggestions by chance, or use how I can use eventcombmt?

Thanks.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34944613
How many servers do you have in your environment?
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 

Author Comment

by:SteveAD
ID: 34944683
I am new to this division of the company. In general, we have over 75 servers and we have 4 domain controllers.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34944729
If you have a list of host names, i.e. csv, of the servers we could make a script checking.

Also if you have 180 service accounts, you should also have a csv-file for those.
0
 
LVL 44

Expert Comment

by:Amit
ID: 34944965
0
 

Author Comment

by:SteveAD
ID: 34944983
I do have a csv file for the service accounts, but not one for the servers. I'm sure there is one somewhere for it but since I'm new here I'll have to ask around. I have no experience scripting at all or really even running them,will that matter?
0
 
LVL 44

Assisted Solution

by:Amit
Amit earned 2000 total points
ID: 34944986
Try this free tool

http://www.joeware.net/freetools/tools/adfind/index.htm

You can get lot of information
0
 
LVL 44

Assisted Solution

by:Amit
Amit earned 2000 total points
ID: 34945025
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34945444
I have no experience scripting at all or really even running them,will that matter?

It will not matter :)
0
 

Author Comment

by:SteveAD
ID: 35007052
Thanks for the offer to build me a script snusgubben. I was not able to get a server list from my manager (security issues), so I just had to use some tools and do the best I could. Thanks though.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question