How can  I determine what accounts are logging in as a service

spinoza156
spinoza156 used Ask the Experts™
on
Hi.

We recently had an incident whereby a system was compromised. The SQL service on the system was running under our domain administrator account credentials. We are not sure if that account has it's password leaked but we want to be proactive and change the password.

The domain administrator account is used across many different servers in our organization for this purpose. If we change the password we will obviously cause all those services to fail their authentication.

My question is: Is there a tool that I can use that can scan a server or multiple servers to let me know exactly what accounts are used by services to authenticate?

Needless to say we will be using another account going forward.

Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Here is a quick script that you can feed server names into:

It will give you a list of services that are running under domain credentials.

$serviceinfo = @()
(gc serverlist.txt) | % {
$server = $_
gwmi win32_service -computername $_| where {$_.StartName -ne "LocalSystem" -and $_.StartName -ne "NT AUTHORITY\LocalService" -and $_.startname -ne "NT Authority\NetworkService"} | % { $serviceinfo +=  "$server, $_.Name, $_.StartName"  }
}
$serviceinfo | Select * | Export-Csv c:\service-reports.csv -NoTypeInformation

Open in new window

Author

Commented:
Thanks becraig. My script knowledge is very limited. Is this a vbs script? Could you please provide an example of how you would run this with a server named 'foo'?
This is a powershell script.

Steps:
1. save the code snippet as a file possibly "script.ps1"
2. Open a powershell window Run - powershell -
3. Navigate to the path where you saved the script.ps1
4. Save a text file copy of your list of servers "serverlist.txt" in the same location
5. run the script by entering ./script.ps1
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Author

Commented:
Ok. Thank you for the detail. I got the script to run, it created the file but it's empty. I created the serverlist.txt with the FQDN of one of my servers on the first line.
$serviceinfo = @()
(gc serverlist.txt) | % {
$server = $_
write-host "Processing Server ..." -fore yellow
gwmi win32_service -computername $server | where {$_.StartName -ne "LocalSystem" -and $_.StartName -ne "NT AUTHORITY\LocalService" -and $_.startname -ne "NT Authority\NetworkService"} | % { $serviceinfo +=  "$server, $_.Name, $_.StartName"  }
}
$serviceinfo | Select * | Export-Csv c:\service-reports.csv -NoTypeInformation

Open in new window



Made a quick update to a bad pipe.

Author

Commented:
Thanks. I get the Processing Server... but still the same result.
I tried using the hostname of my local machine and it came back with attached.capture
$serviceinfo = @()
(gc serverlist.txt) | % {
$server = $_
write-host "Processing Server ..." -fore yellow
gwmi win32_service -computername $server | where {$_.StartName -ne "LocalSystem" -and $_.StartName -ne "NT AUTHORITY\LocalService" -and $_.startname -ne "NT Authority\NetworkService"} | % { 
$sname = $_.Name; $sacct = $_.StartName
$serviceinfo +=  "$server, $sname, $sacct"  
}
}

$serviceinfo | out-file c:\service-reports.csv 

Open in new window

Author

Commented:
This is the result.capture
This works for me without a hitch

Added a write to screen to see what you get.


$serviceinfo = @()
(gc serverlist.txt) | % {
$server = $_
gwmi win32_service -computername $server | where {$_.StartName -ne "LocalSystem" -and $_.StartName -ne "NT AUTHORITY\LocalService" -and $_.startname -ne "NT Authority\NetworkService"} | % { 
$sname = $_.Name; $sacct = $_.StartName
write-host "$server`t$sname`t$sacct" 
$serviceinfo +=  "$server, $sname, $sacct"  
}
}

$serviceinfo | out-file c:\service-reports.csv 

Open in new window

Author

Commented:
You are right.

I have to run it locally on the server though to get it to work.
Thanks!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial