In this article, I’ll show you how to find service accounts in Active Directory using PowerShell and the AD Pro Toolkit. Typically, a service or scheduled task is configured to run as the local system account. However, there are times when a domain user or local account is configured to run as the service.
In this article:
- Option 1. Find Service Accounts in AD with AD Pro Toolkit
- Option 2. Find Service Accounts in AD with PowerShell
- Tips to Find on-premises service accounts
Option 1. Find Service Accounts in AD with AD Pro Toolkit
In this example, I’ll find service accounts using the AD Pro Toolkit. This tool makes it easy to scan your Windows systems and find where service accounts are being used. Download 14-day Free Trial.
Steps to find service accounts with the toolkit.
- Click on Security Reports and then Service Account.
- Select from the options and click “Run”. By default, it will scan all domain computers, click browse to select an OU or group.
- You can search and filter the report.
- To export the report click the “Export” button.
The RunningAs column will show you the name of account that is running as a service.
Filtering the report for specific service accounts
If you scanned multiple computers, the report could return many results. The toolkit includes a few options to filter the report and make it easier to find specific accounts.
Exclude Built-in Accounts
There are several built-in accounts to Windows (LocalSystem, NT AUTHORITY\LocalService, etc) that you can easily filter out of the report.
Select the “Exclude Built-in Accounts” box and re-run the report. This makes it much easier to find domain and local accounts that are running as a service.
Sort and filter columns
To find specific service accounts you can filter the report or click the search icon. First, I’ll click on the RunningAs column and filter the report, I’m looking for domain user accounts that are runningAs.
You can see in the screenshot above when I filter the results I found two domain accounts that are being used as service accounts, one is on PC3 and the other is on SRV-VM1.
Another option is to use the search icon. For example, I’ll type my domain name and hopefully, it will find all domain accounts.
Awesome! The tool quickly found two domain user accounts set to run a Windows service.
How to search for a specific service account?
If you want to scan your computers for a specific service account, then use the find option.
In this example, I’ll scan all computers for the service account “adam.reed”.
Very nice! This option works great when you know the name of the service account. Unfortunately, that is not always the case.
Option 2. Find Service Accounts in AD with PowerShell
In this example, I’ll use the get-wmiobject cmdlet to list service accounts on a single computer
Step 1: Open PowerShell as Administrator.
Step 2: Copy and paste the command below. Change pc3 to your computers hostname.
get-wmiobject win32_service -comp pc3 | select name, status, startnameThis command will group the services by the startname, I think it makes it easier to read and get an overview of which accounts are running the service.
If you don’t want to group the results, use this command.
get-wmiobject win32_service -comp pc3 | select name, status, startname
To search for a specific account use this command. I’m doing a wildcard search for service accounts running as a domain user.
get-wmiobject win32_service -comp pc3 -filter "startname like '%activedirectory%'" | select name, status, startname
Tips to Find on-premises service accounts
In this tutorial, I’ve been referring to service accounts as normal domain user accounts. In this scenario, there is no easy way to list all service accounts unless you have documented or implemented a naming convention for them.
Below is what Microsoft says about on-premises service accounts.
We recommend that you add a prefix such as “svc-” to all accounts that you use as service accounts. This naming convention will make the accounts easier to find and manage. Also consider using a description attribute for the service account and the owner of the service account. The description can be a team alias or security team owner.
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-on-premises#find-on-premises-service-accounts
In addition to adding a prefix, I would create an OU just for service accounts. You may have existing service accounts that you cannot add a prefix to, so by putting them all into an OU you can easily list all service accounts in Active Directory.
Another option to list all service accounts, is to check the local policy settings. When an account is configured to run as a service, the account will be granted log on as a service rights.
You would need to open the local group policy on each system and check the user rights assignment.
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment – > Log on as a service.
You can see above, I have two domain accounts that have been granted the log on as a service right. Unfortunately, there is no easy way to query this on all computers. It would be easier to use the service accounts report tool or PowerShell to query all computers.
Conclusion
In this tutorial, I showed you two methods for finding where service accounts are being used. By using PowerShell you can easily list all the service accounts on a single computer, but it is challenging for multiple computers. To easily scan all computers I recommend using the service accounts reporting tool from the AD Pro Toolkit. This GUI tool lets you query all computers for domain service accounts, filter the results and export the accounts to a CSV file.
