Auditing Active Directory Service accounts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37 | $DomainNetbiosName = 'domain'
$ServersAdminGroup = "$DomainNetbiosName\Server Admins"
$WorkstationsAdminGroup = "$DomainNetbiosName\Workstation Admins"
$DomainAdminsGroup = "$DomainNetbiosName\Domain Admins"
$ServerOUBaseDN = 'OU=servers,DC=domain,DC=local'
$DomainBaseDN = 'DC=domain,DC=local'
$targets = Get-ADComputer -SearchBase $ServerOUBaseDN -Filter {
OperatingSystem -Like 'Windows*Server*' -and Enabled -eq $true
} -Property DNSHostName
$vallist = @()
$i = 1
$count = $targets.count
foreach ($targethost in $targets) {
write-host $i of $count - $targethost.DNSHostName
if (Test-Connection -ComputerName $targethost.DNSHostName -count 2 -Quiet) {
$vallist += Get-WmiObject Win32_service -Computer $targethost.DNSHostName | select-object systemname, displayname, startname, state
++$i
}
}
$filtlist = @("LocalService", "LocalSystem", "NetworkService", "NT AUTHORITY\LocalService", "NT AUTHORITY\NetworkService", "NT AUTHORITY\NETWORK SERVICE", "NT AUTHORITY\LOCAL SERVICE")
$TargetServices = $vallist | Where-Object { $filtlist -notcontains $_.startname }
$TargetSVCAccounts = $TargetServices.startname | Sort-Object -Unique
$SVCDomAdmins = @()
$Admins = $DomainAdmins.SAMAccountName.toupper()
Foreach ($Acct in $TargetSVCAccounts) {
$a = $Acct.toUpper().Trim("AD\").Trim("@AD.INT")
if ($Admins.Contains($a)) {$SVCDomAdmins += $a}
}
$SVCDomAdmins | Sort-Object -Unique | export-csv Service-DomainAdmins.csv
$TargetServices | export-csv bad-services.csv
$vallist | export-csv all-services.csv
|
https://isc.sans.edu/diary/rss/24882