This thread appears to have been answered but I've enclosed the script for those interested, let me know if you experience issues receiving it ... (it may be too large per Tony's throttles).
-- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Tuesday, June 27, 2006 9:22 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Where's that account being used? > > I swear Dean previously posted a script to this list to go > looking for machine's using a specific account for one of > their services. > > Other than that, I recommend you spin up at least one other > ID, then start moving services/applications to it. That way > when you think you got them all you can disable the account > and see what breaks. > > Overall I am not a terrible fan of a single ID being shared > by people or applications. All acocuntability goes straight > out the window. As for the ID being a domain admin ID... > Well that is just ridiculous and highlights some of the > conversations on the list recently. Good luck cleaning it all up. > > joe > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of AdamT > Sent: Tuesday, June 27, 2006 12:22 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Where's that account being used? > > Dear fountain of knowledge, > > We've inherited a particularly messy AD structure, and we're > now trying to find out where a particular account is in use. > There's around 80 servers in the domain and 3000 > workstations, and this account appears to be used for pretty > much anything that wants to log on as a service, or anyone > who wants domain admin privs. > > Is there any kind of audit utility to scan servers and see > which services are using the account, and ideally - any kind > of monitoring package to flag up an alert each time the > account is used to, say, map a drive or connect to a SQL db? > > -- > AdamT > "A casual stroll through the lunatic asylum shows that faith > does not prove anything." - Nietzsche > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > >
:: SVClist.CMD - Dean Wells / MSEtechnology - August 2005 :: Queries and list all services on all computers within a specified domain, optionally filters list :: to only those running within a specified security context @echo off setlocal ENABLEDELAYEDEXPANSION :: Define initial environment set fqdn=%1 set dn=dc=%fqdn:.=,dc=% set principal=%2 set TITLE=SVClist set VERSION=1.1 set log=%TEMP%\%TITLE%.log set stdout=nul set stderr=nul set found=0 set compsofar=0 set failsofar=0 set logonly=0 set threshold= within roughly 3 months set progresscharlist=-\I/ set progresschar= set minimumfiletime=0 :: Display usual gunk echo/ echo %TITLE% %VERSION% / Dean Wells ([EMAIL PROTECTED]) - Aug. 2005 :: Determine if supplied arguments were sufficient if "%fqdn%"=="" ( set FQDN=/? ) :: Was a help switch supplied set fqdn=%fqdn:-?=-h% set fqdn=%fqdn:/?=-h% for %%h in (-h -help /h /help) do ( if /i "%fqdn%"=="%%h" goto :SYNTAX ) :: Was the "log" switch supplied for %%h in (-log /log) do ( if /i "%fqdn%"=="%%h" ( set logonly=1 call :DISPLAYLOG goto :END ) ) :: Define extreme SC query buffer to cope with unfamiliar environments set bufsize=50000 :: Locate critical executables for %%e in (net.exe findstr.exe find.exe sc.exe ldifde.exe notepad.exe) do ( set where="%%~$PATH:e" if "!where!"=="""" ( echo/ echo ERROR - Required executable, "%%e", not located within the path goto :END ) ) :: Prepare display echo/ echo STATUS - Working [title bar displays service progression] ... echo/ :: Cleanup existing temporary/log files and prepare log header del %TEMP%\computers.log 1>%stdout% 2>%stderr% del %log% 1>%stdout% 2>%stderr% title %TITLE% echo %TITLE% log, "%log%" - >>%log% echo - created by "%USERNAME%" at "%TIME%" on "%DATE%">>%log% :: Derive the Windows filetime value to use as part of query for active computeraccounts, using local machine account's pwdlastset :: Get local machine's full computer name for /f "tokens=4" %%n in ('net config workstation ^| find /i "Full Computer Name"') do set localdnsname=%%n ldifde -j %TEMP% -s %fqdn% -d "%dn%" -r "(&(objectcategory=computer)(dNSHostName=%localdnsname%))" -l pwdlastset -f %TEMP%\%TITLE%-filetime.tmp 1>%stdout% 2>%stderr% if errorlevel 1 ( echo ERROR - LDAP query failed enumerating today's filetime value goto :SYNTAX ) for /f "tokens=2 delims=: " %%d in ('findstr /i "pwdlastset:" %TEMP%\%TITLE%-filetime.tmp') do ( set minimumfiletime=%%d ) :: Reduce 4th byte of minimum filetime value by 1 since that equates to between 3 and 4 months prior to the read value set /a highpart=%minimumfiletime:~0,4%-1 set lowpart=%minimumfiletime:~4% set minimumfiletime=%highpart%%lowpart% :: If w32tm executable can be found, convert minimumfiletime value to legible date if not %minimumfiletime% LSS 1 ( for %%e in (w32tm.exe) do ( set where="%%~$PATH:e" if not "!where!"=="""" ( for /f "delims=- tokens=2" %%d in ('w32tm /ntte %minimumfiletime%') do ( set threshold= since%%d set threshold=!threshold:~0,-12! ) ) ) ) :: Count total number of computers within domain ldifde -j %TEMP% -s %fqdn% -d %dn% -r "(objectcategory=computer)" -l dnshostname -f %TEMP%\computers.log 1>%stdout% 2>%stderr% if errorlevel 1 ( echo ERROR - LDAP query failed enumerating server list goto :SYNTAX ) for /f %%h in ('type %TEMP%\computers.log ^| find /c /i "dnshostname: "') do ( set totcomp=%%h ) :: Query and count the active computers within the domain if not %minimumfiletime% LSS 1 ( ldifde -j %TEMP% -s %fqdn% -d %dn% -r "(&(objectcategory=computer)(pwdlastset>=%minimumfiletime%))" -l dnshostname -f %TEMP%\computers.log 1>%stdout% 2>%stderr% if errorlevel 1 ( echo ERROR - LDAP query failed enumerating server list goto :SYNTAX ) for /f %%h in ('type %TEMP%\computers.log ^| find /c /i "dnshostname: "') do ( set activecomp=%%h ) ) else ( set activecomp=%totcomp% ) :: Further prepare console and log file echo - enumerated computers in domain "%fqdn%">>%log% echo - enumerating computers in domain "%fqdn%" if not %minimumfiletime% LSS 1 ( echo - %totcomp% computer account objects located / %activecomp% are not stale >>%log% echo - %totcomp% computer account objects located / %activecomp% are not stale ) else ( echo - local computer is non-domain member; staleness NOT determined >>%log% echo - local computer is non-domain member; staleness NOT determined echo - %totcomp% computer account objects located >>%log% echo - %totcomp% computer account objects located ) if not "%principal%"=="" ( echo - queried %activecomp% computers for partial match on service-account "%principal%" >>%log% echo - querying %activecomp% computers for partial match on service-account "%principal%" echo HINT: search log for "+" symbol to locate service-account name matches >>%log% ) else ( echo - queried %activecomp% computers >>%log% echo - querying %activecomp% computers set found=1 ) if not %minimumfiletime% LSS 1 ( echo + computer account deemed stale if account password [pwdLastSet] unchanged >>%log% echo + computer account deemed stale if account password [pwdLastSet] unchanged echo %threshold% >>%log% echo %threshold% ) echo/ echo/ >>%log% echo #BEGIN LOG# >>%log% echo/ >>%log% :: Parse the computers for /f "tokens=1,2 delims=: " %%h in ('type %TEMP%\computers.log ^| findstr /i "dnshostname:"') do ( if /i "%%h"=="dnshostname" ( if not "%%i"=="" ( set /a compsofar+=1 set /a remaining=%activecomp%-!compsofar! call :GETSVCS %%i ) ) ) :: Tidy up display and log file if "%found%"=="1" ( echo/ echo Done^^! call :DISPLAYLOG ) else ( echo/ echo STATUS - No services located matching specified criteria echo + queried domain "%fqdn%" if not "%principal%"=="" ( echo + queried %activecomp% computers for partial match on service-account "%principal%" ) ) echo #END LOG# >>%log% :: Script body ends goto :END :: Define functions and procedures :GETSVCS set mchsvcs=0 set totsvcs=0 set hit=0 set cnt=0 title %TITLE% - COMPUTER: !compsofar! of %activecomp% / REMAINING: %remaining% / FAILED: !failsofar! ... !progresschar! echo [SERVER: %1]>>%log% :: Add right aligned padding of 'x' periods set srvname=%1 ..........................] set srvname=!srvname:~0,25! set /p = + !srvname!<nul nslookup %1 2>&1 | find "can't" 1>%stdout% 2>%stderr% if not errorlevel 1 ( echo #name resolution failure>>%log% echo #name resolution failure set /a failsofar+=1 goto :BAIL ) else ( ping -n 1 -w 500 %1 1>%stdout% 2>%stderr% if errorlevel 1 ( echo #ICMP ping failure >>%log% echo #ICMP ping failure set /a failsofar+=1 goto :BAIL ) else ( net use \\%1 /y 1>%stdout% 2>%stderr% if errorlevel 1 ( echo #authentication or RPC failure >>%log% echo #authentication or RPC failure set /a failsofar+=1 goto :BAIL ) else ( net use \\%1 /d /y 1>%stdout% 2>%stderr% ) ) ) for /f "tokens=2 delims=: " %%s in ('sc \\%1 query state^= all bufsize^= %bufsize% ^| find "SERVICE_NAME"') do ( set /a totsvcs+=1 if not "%principal%"=="" ( call set progresschar=%%progresscharlist:~!cnt!,1%% title %TITLE% - COMPUTER: !compsofar! of %activecomp% / REMAINING: %remaining% / FAILED: !failsofar! / SERVICE: !totsvcs! ... !progresschar! call :QUERYSVCS %1 %%s ) else ( echo + %%s>>%log% ) ) :BAIL if not "%principal%"=="" ( echo [/SERVER: %1 / %mchsvcs% hits logged out of %totsvcs% total services found]>>%log% if not "%totsvcs%"=="0" echo %mchsvcs% hits from %totsvcs% services ) else ( echo [/SERVER: %1 / %totsvcs% services in total]>>%log% if not "%totsvcs%"=="0" echo %totsvcs% services in total ) echo/>>%log% goto :EOF :QUERYSVCS for /f "tokens=2 delims=:" %%p in ('sc \\%1 qc %2 ^| find "SERVICE_START_NAME"') do ( set /a cnt+=1 if "!cnt!" GEQ "5" ( set cnt=0 ) set SVC=%%p set SVC=!SVC:^&=! echo !SVC! | find /i "%principal%" 1>%stdout% 2>%stderr% if not errorlevel 1 ( set found=1 set hit=1 set /a mchsvcs+=1 echo + %2 :%%p >>%log% set errorlevel=0 ) ) goto :EOF :DISPLAYLOG if exist %log% ( if "%logonly%"=="1" ( echo/ echo STATUS - Displaying log file: echo/ echo + %log% ) start "" notepad %log% ) else ( echo/ echo ERROR - Log file not located^^! echo/ echo + %log% ) goto :EOF :SYNTAX echo/ echo SYNTAX - %TITLE% [domain FQDN] ^<service-account^> [/log] echo/ echo Displays all services from all active computers within the echo supplied domain (that meet the service-account criteria) echo/ echo - [domain FQDN] : name of domain to query for target computers echo - ^<service-account^> : optional; name or partial name of service-account echo - [/log] : must be used alone; displays log of last query echo/ echo - %TITLE% should be executed on a domain member for optimal performance echo/ echo e.g. - echo/ echo C:\^>%TITLE% msetechnology.com Administrator echo - display any service on any active computer within the echo "msetechnology.com" domain that is running under the echo security context "Administrator" [recommendation: NONE^^!] echo/ echo C:\^>%TITLE% mset.com MSET\Adm echo - display any service on any active computer within the echo "mset.com" domain that is running under the any security echo context containing the case-insensitive string "MSET\Adm" echo/ echo C:\^>%TITLE% mset.lab echo - display all services on all active computers within the echo "mset.lab" domain echo/ :: End script and perform necessary cleanup :END title Command Prompt del %TEMP%\computers.log 1>%stdout% 2>%stderr%