Click an Ad

If you find this blog helpful, please support me by clicking an ad!

Tuesday, March 18, 2014

Automating an Audit of Service Accounts

The goal today is to show you how I am automating and documenting a list of which log on account my services are using.

To start, I have a master list of servers, which is simply a text file, out there on my scheduled task server. I made adding a server's name to that list part of my commissioning checklist (which you totally should have).

Where this has come in handy, besides answering the "How did I do this on the other server" question, is when you have to change the password for a service account. Now, you'll know where else you need to update the password and can plan appropriately.

As an aside, I like the idea of the Windows Server managed service accounts, but there are too many things that they don't work with for me to use them. I don't really need more exceptions to remember.

One thing to keep in mind is that the output is subjective. If you DON'T see something under a certain server's name, it may be good, or it may not be. A SQL box shouldn't be using LocalSystem accounts for its services, while something internal to the server, like the DHCP client off the top of my head, doesn't really need to be using a dedicated account.

Here's the script. Inline comments as per usual.

#----------------------BEGIN SCRIPT-------------------

#Create Temporary output file
$OutputFile = "c:\temp\ServiceAudit.txt"

#Get the list of servers from my master list
$Computers = (Get-Content "c:\Lists\ServiceAccountAudit-servers.txt")

#For each server in the list
Foreach ($Computer in $Computers){
#Append the server's name to the temporary output file
Add-Content $OutputFile $Computer

#Use WMI to get each services StartName (Log in account), EXCEPT for the common ones, select the name and account, append to file
Get-WmiObject Win32_Service -ComputerName $Computer | `
where {$_.StartName -notlike "LocalSystem" -and $_.StartName -notlike "NT Authority\LocalService" -and $_.StartName -notlike "NT Authority\NetworkService" `
-and $_.StartName -notlike "NT Authority\Network Service" -and $_.StartName -notlike "NT Authority\Local Service"} `
| select Name, StartName | Add-Content $OutputFile

#Add some space between server entries
Add-Content $OutputFile "`r`n"
} #End Foreach

#Declare email parameters
$To = "itreporting@contoso.com"
$From = "helpdesk@contoso.com"
$Subject = "PS Report - Services"
$Body = 'This is a list of services on all servers that are not running under "system" credentials'
$SMTPServer = "mailserver.contoso.com"

#I get the temp file as attachment simply because I copy it to our IT Sharepoint once in a while as documentation
$Attachment = $OutputFile
Send-Mailmessage -to $To -Subject $subject -From $From -body $body -smtpserver $SMTPServer -attachments $Attachment

#Delete the Temp File
remove-item $OutputFile -force

remove-item $Attachment -force

#-------------------END SCRIPT---------------------------



No comments:

Post a Comment