This thread appears to have been answered but I've enclosed the script for
those interested, let me know if you experience issues receiving it ... (it
may be too large per Tony's throttles).
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, June 27, 2006 9:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Where's that account being used?
>
> I swear Dean previously posted a script to this list to go
> looking for machine's using a specific account for one of
> their services.
>
> Other than that, I recommend you spin up at least one other
> ID, then start moving services/applications to it. That way
> when you think you got them all you can disable the account
> and see what breaks.
>
> Overall I am not a terrible fan of a single ID being shared
> by people or applications. All acocuntability goes straight
> out the window. As for the ID being a domain admin ID...
> Well that is just ridiculous and highlights some of the
> conversations on the list recently. Good luck cleaning it all up.
>
> joe
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of AdamT
> Sent: Tuesday, June 27, 2006 12:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Where's that account being used?
>
> Dear fountain of knowledge,
>
> We've inherited a particularly messy AD structure, and we're
> now trying to find out where a particular account is in use.
> There's around 80 servers in the domain and 3000
> workstations, and this account appears to be used for pretty
> much anything that wants to log on as a service, or anyone
> who wants domain admin privs.
>
> Is there any kind of audit utility to scan servers and see
> which services are using the account, and ideally - any kind
> of monitoring package to flag up an alert each time the
> account is used to, say, map a drive or connect to a SQL db?
>
> --
> AdamT
> "A casual stroll through the lunatic asylum shows that faith
> does not prove anything." - Nietzsche
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
>
:: SVClist.CMD - Dean Wells / MSEtechnology - August 2005
:: Queries and list all services on all computers within a specified domain,
optionally filters list
:: to only those running within a specified security context
@echo off
setlocal ENABLEDELAYEDEXPANSION
:: Define initial environment
set fqdn=%1
set dn=dc=%fqdn:.=,dc=%
set principal=%2
set TITLE=SVClist
set VERSION=1.1
set log=%TEMP%\%TITLE%.log
set stdout=nul
set stderr=nul
set found=0
set compsofar=0
set failsofar=0
set logonly=0
set threshold= within roughly 3 months
set progresscharlist=-\I/
set progresschar=
set minimumfiletime=0
:: Display usual gunk
echo/
echo %TITLE% %VERSION% / Dean Wells ([EMAIL PROTECTED]) - Aug. 2005
:: Determine if supplied arguments were sufficient
if "%fqdn%"=="" (
set FQDN=/?
)
:: Was a help switch supplied
set fqdn=%fqdn:-?=-h%
set fqdn=%fqdn:/?=-h%
for %%h in (-h -help /h /help) do (
if /i "%fqdn%"=="%%h" goto :SYNTAX
)
:: Was the "log" switch supplied
for %%h in (-log /log) do (
if /i "%fqdn%"=="%%h" (
set logonly=1
call :DISPLAYLOG
goto :END
)
)
:: Define extreme SC query buffer to cope with unfamiliar environments
set bufsize=50000
:: Locate critical executables
for %%e in (net.exe findstr.exe find.exe sc.exe ldifde.exe notepad.exe) do (
set where="%%~$PATH:e"
if "!where!"=="""" (
echo/
echo ERROR - Required executable, "%%e", not located within the
path
goto :END
)
)
:: Prepare display
echo/
echo STATUS - Working [title bar displays service progression] ...
echo/
:: Cleanup existing temporary/log files and prepare log header
del %TEMP%\computers.log 1>%stdout% 2>%stderr%
del %log% 1>%stdout% 2>%stderr%
title %TITLE%
echo %TITLE% log, "%log%" - >>%log%
echo - created by "%USERNAME%" at "%TIME%" on "%DATE%">>%log%
:: Derive the Windows filetime value to use as part of query for active
computeraccounts, using local machine account's pwdlastset
:: Get local machine's full computer name
for /f "tokens=4" %%n in ('net config workstation ^| find /i "Full Computer
Name"') do set localdnsname=%%n
ldifde -j %TEMP% -s %fqdn% -d "%dn%" -r
"(&(objectcategory=computer)(dNSHostName=%localdnsname%))" -l pwdlastset -f
%TEMP%\%TITLE%-filetime.tmp 1>%stdout% 2>%stderr%
if errorlevel 1 (
echo ERROR - LDAP query failed enumerating today's filetime value
goto :SYNTAX
)
for /f "tokens=2 delims=: " %%d in ('findstr /i "pwdlastset:"
%TEMP%\%TITLE%-filetime.tmp') do (
set minimumfiletime=%%d
)
:: Reduce 4th byte of minimum filetime value by 1 since that equates to between
3 and 4 months prior to the read value
set /a highpart=%minimumfiletime:~0,4%-1
set lowpart=%minimumfiletime:~4%
set minimumfiletime=%highpart%%lowpart%
:: If w32tm executable can be found, convert minimumfiletime value to legible
date
if not %minimumfiletime% LSS 1 (
for %%e in (w32tm.exe) do (
set where="%%~$PATH:e"
if not "!where!"=="""" (
for /f "delims=- tokens=2" %%d in ('w32tm /ntte
%minimumfiletime%') do (
set threshold= since%%d
set threshold=!threshold:~0,-12!
)
)
)
)
:: Count total number of computers within domain
ldifde -j %TEMP% -s %fqdn% -d %dn% -r "(objectcategory=computer)" -l
dnshostname -f %TEMP%\computers.log 1>%stdout% 2>%stderr%
if errorlevel 1 (
echo ERROR - LDAP query failed enumerating server list
goto :SYNTAX
)
for /f %%h in ('type %TEMP%\computers.log ^| find /c /i "dnshostname: "') do (
set totcomp=%%h
)
:: Query and count the active computers within the domain
if not %minimumfiletime% LSS 1 (
ldifde -j %TEMP% -s %fqdn% -d %dn% -r
"(&(objectcategory=computer)(pwdlastset>=%minimumfiletime%))" -l dnshostname -f
%TEMP%\computers.log 1>%stdout% 2>%stderr%
if errorlevel 1 (
echo ERROR - LDAP query failed enumerating server list
goto :SYNTAX
)
for /f %%h in ('type %TEMP%\computers.log ^| find /c /i "dnshostname:
"') do (
set activecomp=%%h
)
) else (
set activecomp=%totcomp%
)
:: Further prepare console and log file
echo - enumerated computers in domain "%fqdn%">>%log%
echo - enumerating computers in domain "%fqdn%"
if not %minimumfiletime% LSS 1 (
echo - %totcomp% computer account objects located / %activecomp% are
not stale >>%log%
echo - %totcomp% computer account objects located / %activecomp% are
not stale
) else (
echo - local computer is non-domain member; staleness NOT determined
>>%log%
echo - local computer is non-domain member; staleness NOT determined
echo - %totcomp% computer account objects located >>%log%
echo - %totcomp% computer account objects located
)
if not "%principal%"=="" (
echo - queried %activecomp% computers for partial match on
service-account "%principal%" >>%log%
echo - querying %activecomp% computers for partial match on
service-account "%principal%"
echo HINT: search log for "+" symbol to locate service-account
name matches >>%log%
) else (
echo - queried %activecomp% computers >>%log%
echo - querying %activecomp% computers
set found=1
)
if not %minimumfiletime% LSS 1 (
echo + computer account deemed stale if account password
[pwdLastSet] unchanged >>%log%
echo + computer account deemed stale if account password
[pwdLastSet] unchanged
echo %threshold% >>%log%
echo %threshold%
)
echo/
echo/ >>%log%
echo #BEGIN LOG# >>%log%
echo/ >>%log%
:: Parse the computers
for /f "tokens=1,2 delims=: " %%h in ('type %TEMP%\computers.log ^| findstr /i
"dnshostname:"') do (
if /i "%%h"=="dnshostname" (
if not "%%i"=="" (
set /a compsofar+=1
set /a remaining=%activecomp%-!compsofar!
call :GETSVCS %%i
)
)
)
:: Tidy up display and log file
if "%found%"=="1" (
echo/
echo Done^^!
call :DISPLAYLOG
) else (
echo/
echo STATUS - No services located matching specified criteria
echo + queried domain "%fqdn%"
if not "%principal%"=="" (
echo + queried %activecomp% computers for partial
match on service-account "%principal%"
)
)
echo #END LOG# >>%log%
:: Script body ends
goto :END
:: Define functions and procedures
:GETSVCS
set mchsvcs=0
set totsvcs=0
set hit=0
set cnt=0
title %TITLE% - COMPUTER: !compsofar! of %activecomp% / REMAINING: %remaining%
/ FAILED: !failsofar! ... !progresschar!
echo [SERVER: %1]>>%log%
:: Add right aligned padding of 'x' periods
set srvname=%1 ..........................]
set srvname=!srvname:~0,25!
set /p = + !srvname!<nul
nslookup %1 2>&1 | find "can't" 1>%stdout% 2>%stderr%
if not errorlevel 1 (
echo #name resolution failure>>%log%
echo #name resolution failure
set /a failsofar+=1
goto :BAIL
) else (
ping -n 1 -w 500 %1 1>%stdout% 2>%stderr%
if errorlevel 1 (
echo #ICMP ping failure >>%log%
echo #ICMP ping failure
set /a failsofar+=1
goto :BAIL
) else (
net use \\%1 /y 1>%stdout% 2>%stderr%
if errorlevel 1 (
echo #authentication or RPC failure >>%log%
echo #authentication or RPC failure
set /a failsofar+=1
goto :BAIL
) else (
net use \\%1 /d /y 1>%stdout% 2>%stderr%
)
)
)
for /f "tokens=2 delims=: " %%s in ('sc \\%1 query state^= all bufsize^=
%bufsize% ^| find "SERVICE_NAME"') do (
set /a totsvcs+=1
if not "%principal%"=="" (
call set progresschar=%%progresscharlist:~!cnt!,1%%
title %TITLE% - COMPUTER: !compsofar! of %activecomp% /
REMAINING: %remaining% / FAILED: !failsofar! / SERVICE: !totsvcs! ...
!progresschar!
call :QUERYSVCS %1 %%s
) else (
echo + %%s>>%log%
)
)
:BAIL
if not "%principal%"=="" (
echo [/SERVER: %1 / %mchsvcs% hits logged out of %totsvcs% total
services found]>>%log%
if not "%totsvcs%"=="0" echo %mchsvcs% hits from %totsvcs% services
) else (
echo [/SERVER: %1 / %totsvcs% services in total]>>%log%
if not "%totsvcs%"=="0" echo %totsvcs% services in total
)
echo/>>%log%
goto :EOF
:QUERYSVCS
for /f "tokens=2 delims=:" %%p in ('sc \\%1 qc %2 ^| find
"SERVICE_START_NAME"') do (
set /a cnt+=1
if "!cnt!" GEQ "5" (
set cnt=0
)
set SVC=%%p
set SVC=!SVC:^&=!
echo !SVC! | find /i "%principal%" 1>%stdout% 2>%stderr%
if not errorlevel 1 (
set found=1
set hit=1
set /a mchsvcs+=1
echo + %2 :%%p >>%log%
set errorlevel=0
)
)
goto :EOF
:DISPLAYLOG
if exist %log% (
if "%logonly%"=="1" (
echo/
echo STATUS - Displaying log file:
echo/
echo + %log%
)
start "" notepad %log%
) else (
echo/
echo ERROR - Log file not located^^!
echo/
echo + %log%
)
goto :EOF
:SYNTAX
echo/
echo SYNTAX - %TITLE% [domain FQDN] ^<service-account^> [/log]
echo/
echo Displays all services from all active computers within the
echo supplied domain (that meet the service-account criteria)
echo/
echo - [domain FQDN] : name of domain to query for target computers
echo - ^<service-account^> : optional; name or partial name of service-account
echo - [/log] : must be used alone; displays log of last query
echo/
echo - %TITLE% should be executed on a domain member for optimal performance
echo/
echo e.g. -
echo/
echo C:\^>%TITLE% msetechnology.com Administrator
echo - display any service on any active computer within the
echo "msetechnology.com" domain that is running under the
echo security context "Administrator" [recommendation: NONE^^!]
echo/
echo C:\^>%TITLE% mset.com MSET\Adm
echo - display any service on any active computer within the
echo "mset.com" domain that is running under the any security
echo context containing the case-insensitive string "MSET\Adm"
echo/
echo C:\^>%TITLE% mset.lab
echo - display all services on all active computers within the
echo "mset.lab" domain
echo/
:: End script and perform necessary cleanup
:END
title Command Prompt
del %TEMP%\computers.log 1>%stdout% 2>%stderr%
