To list all service accounts in your Active Directory (AD) environment, you can utilize PowerShell commands to identify both Managed Service Accounts (MSAs) and traditional user accounts designated as service accounts. Here's a step-by-step guide:
1. Retrieve Managed Service Accounts (MSAs):
MSAs are specialized AD accounts designed for services and applications, offering automatic password management and simplified Service Principal Name (SPN) management. To list all MSAs, use the following PowerShell command:
# Import the Active Directory module
Import-Module ActiveDirectory
# Retrieve all Managed Service Accounts
Get-ADServiceAccount -Filter *
This command imports the Active Directory module and retrieves all MSAs in the domain.
2. Identify Traditional User Accounts Used as Service Accounts:
In many environments, standard user accounts are repurposed as service accounts. To identify these, you can search for accounts with specific attributes or naming conventions.
a. By Service Principal Name (SPN):
Accounts with an SPN are typically used to run services. To find such accounts:
# Retrieve user accounts with an SPN
Get-ADUser -Filter 'ServicePrincipalName -like "*"' -Properties SamAccountName, ServicePrincipalName | Select-Object SamAccountName, ServicePrincipalName
This command lists all user accounts that have an SPN associated with them.
b. By Naming Convention:
If your organization follows a naming convention for service accounts (e.g., names starting with "svc-"), you can filter accounts based on this pattern:
# Retrieve user accounts following a specific naming convention
Get-ADUser -Filter 'SamAccountName -like "svc-*"' -Properties SamAccountName | Select-Object SamAccountName
This command lists all user accounts whose SamAccountName starts with "svc-".
c. By Password Settings:
Service accounts often have non-expiring passwords. To find such accounts:
# Retrieve user accounts with non-expiring passwords
Get-ADUser -Filter * -Properties SamAccountName, PasswordNeverExpires | Where-Object { $_.PasswordNeverExpires -eq $true } | Select-Object SamAccountName
This command lists all user accounts where the password is set to never expire.
3. Differentiate Regular User Accounts from Service Accounts:
Distinguishing between regular user accounts and service accounts can be challenging, especially if there's no strict naming convention. Here are some strategies:
-
Account Description: Check the 'Description' attribute for indications that an account is used for services.
-
Group Membership: Service accounts might be members of specific groups granting necessary permissions.
-
Logon Restrictions: Service accounts often have restrictions on interactive logon.
By examining these attributes, you can better identify which accounts are designated for services.
4. Exporting the List of Service Accounts:
To review the identified service accounts, you can export the results to a CSV file:
# Export MSAs to CSV
Get-ADServiceAccount -Filter * | Select-Object Name, DistinguishedName | Export-Csv -Path "C:\ServiceAccounts\MSAs.csv" -NoTypeInformation
# Export user accounts with SPNs to CSV
Get-ADUser -Filter 'ServicePrincipalName -like "*"' -Properties SamAccountName, ServicePrincipalName | Select-Object SamAccountName, ServicePrincipalName | Export-Csv -Path "C:\ServiceAccounts\UserServiceAccounts.csv" -NoTypeInformation
Ensure you have the necessary permissions to run these commands and that the Active Directory module is installed on your system. Regularly reviewing and documenting service accounts enhances security and aids in effective account management.
