In this tutorial, I’ll show you how to find service accounts in Active Directory. In addition, I’ll show you how to find where service accounts are being used in your domain.
Typically a service or scheduled task is configured to run as the local system account. But there are times when a domain user or local account is configured to run as the service.
The problem is there is no easy way to track where a service account is being used.
The good news is, I created an easy-to-use tool that can scan your systems and find all service accounts. I’ll also show you some PowerShell commands to find service accounts.
Table of contents:
- Find where service accounts are being used with GUI Tool
- Find service accounts using PowerShell
- List all service accounts in Active Directory
Requirements
- WMI needs to be allowed inbound on the target computers.
- AD Pro Toolkit – You can download a free trial here
- PowerShell 5.1 or above
Video Tutorial
In the video below, I demonstrate how to find where service accounts are being used with the AD Pro Toolkit and PowerShell.
Find where service accounts are being used with GUI Tool
If you don’t document your service accounts then you could end up with them running on various servers or even computer systems. This situation is very difficult to manage and can be a security concern.
The only solution is to scan all your systems and find which ones have accounts being used to run a service. To simplify this you can use the service accounts report tool.
Step 1. Open the Service Accounts Report Tool
Click here to download a free trial
Step 2. Scan Computers for Service Accounts
Select to scan all computers or select an OU or a specific computer.
In this example, I’ll scan all computers in the domain. If you don’t want to include scheduled tasks, uncheck the “include scheduled tasks” box. Click the Run button to start the scan.
When the scan is complete you will have a list of all the services running on your systems, the state, and which account the service is running as.
Step 3. Filter Service Accounts Report
To find specific service accounts you can filter the report or click the search icon. First, I’ll click on the RunningAs column and filter the report, I’m looking for domain user accounts that are runningAs.
You can see in the screenshot above when I filter the results I found two domain accounts that are being used as service accounts, one is on PC3 and the other is on SRV-VM1.
Another option is to use the search icon. For example, I’ll type my domain name and hopefully, it will find all domain accounts.
Awesome! The tool quickly found two domain user accounts set to run a Windows service.
How to search for a specific service account?
If you want to scan your computers for a specific service account, then use the find services running as option.
In this example, I’ll scan all computers for the service account “adam.reed”.
Very nice! This option works great when you know the name of the service account. Unfortunately, that is not always the case.
Find service accounts using PowerShell
Here is a simple PowerShell command to find service accounts on a single computer.
get-wmiobject win32_service -comp pc3 | Group Startname -NoElementThis command will group the services by the startname, I think it makes it easier to read and get an overview of which accounts are running the service.
If you don’t want to group the results, use this command.
get-wmiobject win32_service -comp pc3 | select name, status, startname
To search for a specific account use this command. I’m doing a wildcard search for service accounts running as a domain user.
get-wmiobject win32_service -comp pc3 -filter "startname like '%activedirectory%'" | select name, status, startname
List all service accounts in Active Directory
In this tutorial, I’ve been referring to service accounts as normal domain user accounts. In this scenario, there is no easy way to list all service accounts unless you have documented or implemented a naming convention for them.
Below is what Microsoft says about on-premises service accounts.
We recommend that you add a prefix such as “svc-” to all accounts that you use as service accounts. This naming convention will make the accounts easier to find and manage. Also consider using a description attribute for the service account and the owner of the service account. The description can be a team alias or security team owner.
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-on-premises#find-on-premises-service-accounts
In addition to adding a prefix, I would create an OU just for service accounts. You may have existing service accounts that you cannot add a prefix to, so by putting them all into an OU you can easily list all service accounts in Active Directory.
Another option to list all service accounts, is to check the local policy settings. When an account is configured to run as a service, the account will be granted log on as a service rights.
You would need to open the local group policy on each system and check the user rights assignment.
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment – > Log on as a service.
You can see above, I have two domain accounts that have been granted the log on as a service right. Unfortunately, there is no easy way to query this on all computers. It would be easier to use the service accounts report tool or PowerShell to query all computers.
Conclusion
In this tutorial, I showed you two methods for finding where service accounts are being used. By using PowerShell you can easily list all the service accounts on a single computer, but it is challenging for multiple computers. To easily scan all computers I recommend using the service accounts reporting tool from the AD Pro Toolkit. This GUI tool lets you query all computers for domain service accounts, filter the results and export the accounts to a CSV file.
Related Articles
