Services using Domain admin account

This topic contains 2 replies, has 2 voices, and was last updated by  Steve Wouden 4 years, 1 month ago.

  • Author
    Posts
  • #11413

    Steve Wouden
    Participant

    With someone on another forum I created a script to check services on all the servers running under an administrator account.
    Also I wanted the script to log every server.
    Still something not right with the script. The output is empty. I know a server that is running services with administrator account.
    If I put this servername last in the serverlist(allwindows.csv), I do get an output. If I put this servername in de middle or someplace else, no output in serverlist.htm. Seems like only the last server in the list is "scanned", although I see every server in the logfile

    $a = "

    "

    $server = Get-Content C:\Allwindows.csv
    foreach($comp in $server)
    {
    try{
    $ErrorActionPreference = "Stop"
    $ifeverything_ok = $true
    $service = get-wmiobject win32_service -ComputerName $comp -filter "StartName Like '%Administrator%'" |
    Select-Object @{Expression={$_.systemName};Label = "Server Name"},@{Expression={$_.DisplayName};Label = "Service Name"} ,
    @{Expression={$_.Name};Label = "Service"},
    @{Expression= {$_.StartName};Label = "Account"},
    State | ConvertTo-HTML -head $a -Body "

    Service Accounts Running As Domain Administrator

    "
    $service | Out-File C:\ServerList.htm
    $comp | Out-File C:\Temp\Logs.txt -Append -Encoding ascii

    #Invoke-Expression C:\ServerList.htm
    }
    Catch [system.exception]
    {
    $ifeverything_ok = $false
    $comp | Out-File C:\Temp\Logs.txt -Append -encoding ASCII
    Add-Content -Value $_.Exception -Path C:\Temp\Logs.txt
    }
    }

    Could you please help me edit this script.
    Thanx

  • #11418

    Dave Wyatt
    Moderator

    You're overwriting ServerList.htm every time through the loop with that call to Out-File. What you're probably looking to do is something more like this (moving the calls to ConvertTo-Html and Out-File outside the loop):

    $head = @'
    
    '@
    
    $ifeverything_ok = $true
    
    Get-Content C:\Allwindows.csv |
    ForEach-Object {
        $comp = $_
        try
        {
            $ErrorActionPreference = "Stop"
            
            $properties = @(
                @{Expression={$_.systemName};Label = "Server Name"},
                @{Expression={$_.DisplayName};Label = "Service Name"},
                @{Expression={$_.Name};Label = "Service"},
                @{Expression= {$_.StartName};Label = "Account"},
                'State'
            )
    
            Get-WmiObject win32_service -ComputerName $comp -filter "StartName Like '%Administrator%'" |
            Select-Object -Property $Properties
            
            $comp | Out-File C:\Temp\Logs.txt -Append -Encoding ascii
    
        }
        Catch [system.exception]
        {
            $ifeverything_ok = $false
            $comp | Out-File C:\Temp\Logs.txt -Append -encoding ASCII
            Add-Content -Value $_.Exception -Path C:\Temp\Logs.txt
        }
    } |
    ConvertTo-Html -Head $head -Body "

    Service Accounts Running As Domain Administrator

    " | Out-File C:\ServerList.htm Invoke-Expression C:\ServerList.htm

    On a side note, this script doesn't actually identify services running as a Domain Admin account (which would imply you should be checking for group membership). It just looks for services running as any account with "Administrator" in the name.

  • #11420

    Steve Wouden
    Participant

    Thank you, thank you..
    I've been troubleshooting this for 3 days with someone on the microsoft TechNet forum, and you fix it in 5 or less minutes..
    I notice the Microsoft guy was a beginner, but hey, everybody got to start somewhere. I'm a powershell dummy..

    And you're side note is true. The subject of this post should be "Services using Administrator account"
    I want to be sure to get every service with any administrator account, domain\administrator or administrator@domain or just administrator.
    We our going to changed (domain)administrator passwords
    Anyway, thanx again

You must be logged in to reply to this topic.