You can also get this from the sc.exe command - start from sc <machinename> query to get the list of services, then follow that up to get the start name. It's also a fairly easy C programming project - open the service control manager, enumerate the services, then see which are running as something other than localsystem, etc. Any good network auditing tool should do this - I put it in the Internet Scanner almost 10 years ago.
Some additional pieces of information are needed - first would be to see if the service is running. Sometimes they'll be stopped with stale passwords. Next is to see if it is a domain account - lots of things make local accounts for services, and I'd assume you're not really concerned about these. Lastly, and this is a good trick I've been keeping to myself for quite some time, in order to find out when was the last time the account logged on to that system, check the write time and date on the HKLM\Software\Microsoft\Windows NT\ProfileList\[user's SID] key. Prior to Windows 2003, this was accessible as auth user, now it takes admin to read it remotely. I'm not sure if the last write time on a reg key is available using anything other than the Windows API calls. Any account that logs on locally, including services, will update the write time on the key for their account. A nice side-effect is that you can get the up time on the services in question, since every time they restart, a logon is performed. I once had someone pushing back on a password change policy for services, complaining it would hurt his up time, so I checked and found out that only 2% of his systems actually went that long without a restart, so security won that round. Understanding who logs on as a service, and where, is really critical to securing the overall network. Anyone with admin credentials could hijack the service, and perform tasks using the service account. Thus you should not have services running under high level domain accounts, unless you're prepared to treat that system as being as critical to security as the domain controllers. Hope this helps... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Talkovic, Scott A. Sent: Tuesday, April 03, 2007 10:53 AM To: Biassoni Riccardo; [email protected] Subject: RE: Discovering Active Direcory shared or Service users account Here's a quick way to find non-standard service accounts that are actually used: Loop through each computer with the following command, replacing %1 with the name of the computer. C:\>wmic /node:%1 service where (not StartName like "LocalSystem" and not StartName like "%%NetworkService%%" and not StartName like "%%LocalService%%") get Name, Caption, StartMode, StartName, Started This might be more effective because, as James noted, service accounts look just like regular user accounts in Active Directory. There might be better ways other than this. Scott -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Biassoni Riccardo Sent: Tuesday, April 03, 2007 7:25 AM To: [email protected] Subject: Discovering Active Direcory shared or Service users account Hi All, Is there a way to discover Active Directory "Shared" user account or "Service" users Account for auditing purpose? I have domain admin privileges and local access to my domain controllers. Best regards Tich
