bhamguy3131
asked on
Track Down Service Accounts with Elevated privileges by seeing what systems are bouncing off AD using the account
We have a large number of programmers adding service accounts with UN and PW inside of their code for purposes of moving files ad other AD integration points. Recently we found a service account that was a Domain Admin. The question posed was , short of changing password and seeing what happens, can we get a clean Query from AD looking back 120 days for the source computer and desired service-elevation being requested by this service account such that we might re-task this in a controlled manner ?
Immediately remove all domain admin rights to all user accounts except for a handful of AD admins.
Follow this process and you will not break anything
Securing Active Directory Administrators Groups
https://www.experts-exchange.com/articles/29596/Securing-Active-Directory-Administrators-Groups.html
All users should change their passwords after and you need to inform them to change any password to any private accounts that use the same passwords because all passwords could have been compromised
How to extract hashes from IFM backup
https://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.html
Follow this process and you will not break anything
Securing Active Directory Administrators Groups
https://www.experts-exchange.com/articles/29596/Securing-Active-Directory-Administrators-Groups.html
All users should change their passwords after and you need to inform them to change any password to any private accounts that use the same passwords because all passwords could have been compromised
How to extract hashes from IFM backup
https://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.html
ASKER
Let me clarify. The service accounts are already removed as Domain Admins. Now we are moving on to the broader question of tracking Service Accounts for use and need to relay back to an AD query .
...we might re-task this in a controlled manner ?I was addressing this part.
Now we are moving on to the broader question of tracking Service Accounts for use and need to relay back to an AD query .Please explain
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Let me check this out
What programmer needs access to a domain admin account and what for?
Using domain admins for services is a total no-go, but much worse is to give dom admin credentials to people who are not properly educated on domain administration and secure account usage.