How to discover services and scheduled tasks using specified account

Hello,
I'm looking to find activity of a specific user.
It can be a software (preferably free) \ powershell \ vbs.

Sadly, we don't have SIEM at the moment, and i'm looking for a quick way to find the information
Any suggestions?
johnnyjonathanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
You can use AD Audit Plus to track information regarding a specific account, logon, password failures, what machines they accounts are being logged in from.

It not free but they do have a 30 days fully featured trial version...

AD AuditPlus - http://www.manageengine.com/products/active-directory-audit/


Will.
0
johnnyjonathanAuthor Commented:
Hi Will.
Thanks, but i have AuditPlus and i don't know of "tracking information" in it?
0
SubsunCommented:
There is no easy way (You may hit lot of road blocks.. :-)..  here is a third party tool but it's not free..

http://community.spiceworks.com/topic/237625-discovering-services-and-scheduled-tasks-using-specified-account

Other option is to use Get-RunAsAccount function against the computer list. Refer the following link from script center..
http://gallery.technet.microsoft.com/Getting-information-about-438b5b1c
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

johnnyjonathanAuthor Commented:
Thanks Subsun,
I've tried running the script, i copied it over to my C drive, run the command -
.\Get-RunAsAccount -ComputerName "COMPUTERNAME" -RunAsUser "USERNAME"

but it then just gave me an empty prompt? i've tried checking with false parameters and i still get the same thing
0
SubsunCommented:
The script written as a function.. You can start the code by dot-sourcing method.. and then run the function..
. C:\Get-RunAsAccount.ps1
Get-RunAsAccount -ComputerName "COMPUTERNAME" -RunAsUser "USERNAME"

Open in new window


Check the link for detailed instructions..
http://blog.powershell.no/2012/02/05/getting-information-about-run-as-accounts-for-services-and-scheduled-tasks/
0
RobSampsonCommented:
Hi, you can also try this VBS that I use when we change the password of a service account.  Run it "as administrator", using an account that will have admin rights on the target servers.  Put your server names in All_AD_Servers.txt, and change the strAccount value to the account you want to find.

Hopefully it does the job.

Regards,

Rob.

' declare constant variables
Const FOR_READING = 1      ' declare OpenTextFile variables
Const FOR_WRITE = 2      ' declare OpenTextFile variables
Const FOR_APPENDING = 8      ' declare OpenTextFile variables
Const xlup = -4162
 
strOutputFile = Replace(WScript.ScriptFullName, WScript.ScriptName, "") & "Services.csv"
strInputFile = Replace(WScript.ScriptFullName, WScript.ScriptName, "") & "All_AD_Servers.txt"
strSuccessFile = Replace(WScript.ScriptFullName, WScript.ScriptName, "") & "Successful.txt"
strAccount = "DOMAIN\UserAccount"

'create objects
Set objFSO = CreateObject("Scripting.FileSystemObject")      ' create FSO object
Set objShell = CreateObject("WScript.Shell")
Set objNewFile = objFSO.CreateTextFile(strOutputFile, True)      ' create output file
 
'table headers
objNewFile.WriteLine "Computer Name,Service,Name,Caption,RunAs"            ' create csv table headers

strFailed = ""

Set objInputFile = objFSO.OpenTextFile(strInputFile, 1, False)
Set objSuccessFile = objFSO.OpenTextFile(strSuccessFile, 8, True)
While Not objInputFile.AtEndOfStream
	strComputer = Trim(objInputFile.ReadLine)
	If strComputer <> "" Then
		'list services & log-on-as
		If Ping(strComputer) = True Then
			On Error Resume Next
			Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
			If Err.Number <> 0 Then
				'MsgBox "Error connecting to " & strComputer
				If strFailed <> "" Then strFailed = strFailed & vbCrLf
				strFailed = strFailed & strComputer
				objNewFile.WriteLine strComputer & "," & "Failed to connect"
				Err.Clear
			Else
				If Trim(strAccount) = "" Then
					Set colServices = objWMIService.ExecQuery("Select Name,Caption,StartName From Win32_Service")
				Else
					Set colServices = objWMIService.ExecQuery("Select Name,Caption,StartName From Win32_Service WHERE StartName='" & Replace(strAccount, "\", "\\") & "'")
				End If
				For Each objService In colServices
					objNewFile.WriteLine strComputer & ",Service," & objService.Name & "," & objService.Caption & "," & objService.StartName
				Next

				'========= Now get scheduled task information ===========
				WScript.Echo "Running schtasks /query /v /fo csv /s " & strComputer
				Set objExec = objShell.Exec("schtasks /query /v /fo csv /s " & strComputer)
				While objExec.Status
					WScript.Sleep 100
				Wend
				strResults = objExec.StdOut.ReadAll
				'MsgBox strResults
				If InStr(strResults, "no scheduled tasks") > 0 Then
					'MsgBox "There are no scheduled tasks on this computer"
				Else
					blnFailed = True
					For Each strJob In Split(strResults, VbCrLf)
						If Trim(strJob) <> "" And Left(strJob, 21) <> """HostName"",""TaskName""" Then
							'WScript.Echo strJob
							' Remove outside quotes, then split by ","
							arrJob = Split(Mid(strJob, 2, Len(strJob) - 2), """,""")
							If UBound(arrJob) > 5 Then
								'WScript.Echo strJob
								If Trim(strAccount) = "" Then
									'WScript.Echo arrJob(0) & "," & arrJob(1) & "," & arrJob(8) & "," & arrJob(14)
									objNewFile.WriteLine arrJob(0) & ",Scheduled Task," & arrJob(1) & "," & arrJob(8) & "," & arrJob(14)
								ElseIf LCase(arrJob(14)) = LCase(strAccount) Then
									'WScript.Echo arrJob(0) & "," & arrJob(1) & "," & arrJob(8) & "," & arrJob(14)
									objNewFile.WriteLine arrJob(0) & ",Scheduled Task," & arrJob(1) & "," & arrJob(8) & "," & arrJob(14)
								ElseIf LCase(arrJob(18)) = LCase(strAccount) Then
									'WScript.Echo arrJob(0) & "," & arrJob(1) & "," & arrJob(8) & "," & arrJob(18)
									objNewFile.WriteLine arrJob(0) & ",Scheduled Task," & arrJob(1) & "," & arrJob(8) & "," & arrJob(18)
								End If
								'MsgBox Join(arrJob, VbCrLf)
								'MsgBox arrJob(18)
								blnFailed = False
							End If
						End If
					Next
					If blnFailed = True Then
						objNewFile.WriteLine strComputer & ",Scheduled Task failure"
						If strFailed <> "" Then strFailed = strFailed & vbCrLf
						strFailed = strFailed & strComputer
					Else
						objSuccessFile.WriteLine strComputer
					End If
				End If
				
			End If	
		Else
			'MsgBox strComputer & " could not be pinged."
			objNewFile.WriteLine strComputer & "," & "Failed to ping"
			If strFailed <> "" Then strFailed = strFailed & vbCrLf
			strFailed = strFailed & strComputer
		End If
	End If
Wend

' close object
objNewFile.Close
objInputFile.Close

Set objInputFile = objFSO.CreateTextFile(strInputFile, True)
objInputFile.Write strFailed
objInputFile.Close
objSuccessFile.Close
WScript.Echo "Done"
 
Function Ping(strComputer)
	Dim objShell, boolCode
	Set objShell = CreateObject("WScript.Shell")
	boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
	If boolCode = 0 Then
		Ping = True
	Else
		Ping = False
	End If
End Function

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
johnnyjonathanAuthor Commented:
As always, your solutions are amazingly elegant!
0
RobSampsonCommented:
Great. Glad it worked for you. Thanks for the grade.

Rob.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.