Skip to content

Auditing Active Directory Service accounts

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
$DomainNetbiosName = 'domain'
$ServersAdminGroup = "$DomainNetbiosName\Server Admins"
$WorkstationsAdminGroup = "$DomainNetbiosName\Workstation Admins"
$DomainAdminsGroup = "$DomainNetbiosName\Domain Admins"

$ServerOUBaseDN = 'OU=servers,DC=domain,DC=local'
$DomainBaseDN = 'DC=domain,DC=local'

$targets = Get-ADComputer -SearchBase $ServerOUBaseDN -Filter {
    OperatingSystem -Like 'Windows*Server*' -and Enabled -eq $true
} -Property DNSHostName

$vallist = @()
$i = 1
$count = $targets.count

foreach ($targethost in $targets) {
  write-host $i of $count -  $targethost.DNSHostName
  if (Test-Connection -ComputerName $targethost.DNSHostName -count 2 -Quiet) {
    $vallist += Get-WmiObject Win32_service -Computer $targethost.DNSHostName | select-object systemname, displayname, startname, state
    ++$i
    }
  }
$filtlist = @("LocalService", "LocalSystem", "NetworkService", "NT AUTHORITY\LocalService", "NT AUTHORITY\NetworkService", "NT AUTHORITY\NETWORK SERVICE", "NT AUTHORITY\LOCAL SERVICE")
$TargetServices = $vallist | Where-Object { $filtlist -notcontains $_.startname }
$TargetSVCAccounts = $TargetServices.startname | Sort-Object -Unique
$SVCDomAdmins = @()
$Admins = $DomainAdmins.SAMAccountName.toupper()

Foreach ($Acct in $TargetSVCAccounts) {
    $a = $Acct.toUpper().Trim("AD\").Trim("@AD.INT")
    if ($Admins.Contains($a)) {$SVCDomAdmins += $a}
    }

$SVCDomAdmins | Sort-Object -Unique | export-csv Service-DomainAdmins.csv
$TargetServices | export-csv bad-services.csv
$vallist | export-csv all-services.csv

https://isc.sans.edu/diary/rss/24882