none
How to identify who own a specific account RRS feed

  • Question

  • We have a list of service accounts for which we need to find the owners. Unfortunately there is no description populated when creating these users. Hence the issue.

    Is there a way in which we can find out the ownership details, somehow from AD.

    Thanks

    Wednesday, May 28, 2014 3:36 PM

Answers

  • I have a list of service accounts, can i know which domain controllers are authenticating these accounts using any script.

    Once i know that i can look on those Domain Controllers for Event ID 528's which will give me information about which system from which that user is authenticating, that way may be we can try and identify who the owner is of that service account.

    Thoughts?

    Greetings!

    Selecting a domain controller for login purpose is a RoundRobin process. You do not know which DC will authenticate the user. For findind out who is the security owner of a specific object you can use this Powershell snippet:

    (Get-ACL 'AD:\CN=Iric,OU=Users,dc=contoso,DC=com').Owner

    Regards.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    • Marked as answer by Vish1974 Tuesday, July 29, 2014 12:23 PM
    Thursday, May 29, 2014 3:10 AM
    Moderator

All replies

  • Using powershell do the following:

    "Import-Module ActiveDirectory" from powershell.

    if you want to see what modules are installed on the box, they can run "Get-Module -list".

    Command:

    Get-aduser "username" -properties *

    Example:

    Get-ADUSER "John.Doe" -properties *

    Wednesday, May 28, 2014 3:48 PM
  • Hi,

    You can use the below powershell command to get the list of services and the ownership of service (service account), 

    Get-WmiObject win32_service | select DisplayName,StartName

    Where,
     DisplayName  - Display name of the Service
     StartName      - With whose credentials Service runs (Service Account name)

    Checkout the below link on the blog for getting service accounts for services,
    http://blogs.technet.com/b/heyscriptingguy/archive/2012/02/15/the-scripting-wife-uses-powershell-to-find-service-accounts.aspx

    Regards,
    Gopi
    JiJi Technologies

    Wednesday, May 28, 2014 4:43 PM
  • I have a list of service accounts, can i know which domain controllers are authenticating these accounts using any script.

    Once i know that i can look on those Domain Controllers for Event ID 528's which will give me information about which system from which that user is authenticating, that way may be we can try and identify who the owner is of that service account.

    Thoughts?

    Wednesday, May 28, 2014 6:06 PM
  • Using the following powershell script will tell you the DC the user account last authenticated to (change "FQDN" to your domain name).
    
    
    
    ##################
    #--------Config
    ##################
    
    $domain = "FQDN"
    
    ##################
    #--------Main
    ##################
    
    import-module activedirectory
    cls
    "The domain is " + $domain
    $samaccountname = Read-Host 'What is the User samaccountname?'
    "Processing the checks ..."
    $myForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
    $domaincontrollers = $myforest.Sites | % { $_.Servers } | Select Name
    $RealUserLastLogon = $null
    $LastusedDC = $null
    $domainsuffix = "*."+$domain
    foreach ($DomainController in $DomainControllers) 
    {
    	if ($DomainController.Name -like $domainsuffix )
    	{
    		$UserLastlogon = Get-ADUser -Identity $samaccountname -Properties LastLogon -Server $DomainController.Name
    		if ($RealUserLastLogon -le [DateTime]::FromFileTime($UserLastlogon.LastLogon))
    		{
    			$RealUserLastLogon = [DateTime]::FromFileTime($UserLastlogon.LastLogon)
    			$LastusedDC =  $DomainController.Name
    		}
    	}
    }
    "The last logon occured the " + $RealUserLastLogon + ""
    "It was done against " + $LastusedDC + ""
    $mesage = "............."
    $exit = Read-Host $mesage


    Wednesday, May 28, 2014 6:18 PM
  • You can use eventcombMT tool to search centrally for event id in particular DC. The attribute lastlogon is not replicated & it can be different on each DC where as lastlogontimestamp attribute is replicated but its not accurate.

    http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

    I believe you can use below batch file to get the logon date & time more precisely.

    @echo off
    echo OUName;Logon;%Date% %TIME%;%COMPUTERNAME%;%USERNAME%;%IP% >> "\\FileServer_Name\Audit$\DomainName.log"

    You can use below GUI tool too.

    http://www.cjwdev.com/Software/ADTidy/Info.html


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.


    Thursday, May 29, 2014 2:32 AM
    Moderator
  • I have a list of service accounts, can i know which domain controllers are authenticating these accounts using any script.

    Once i know that i can look on those Domain Controllers for Event ID 528's which will give me information about which system from which that user is authenticating, that way may be we can try and identify who the owner is of that service account.

    Thoughts?

    Greetings!

    Selecting a domain controller for login purpose is a RoundRobin process. You do not know which DC will authenticate the user. For findind out who is the security owner of a specific object you can use this Powershell snippet:

    (Get-ACL 'AD:\CN=Iric,OU=Users,dc=contoso,DC=com').Owner

    Regards.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    • Marked as answer by Vish1974 Tuesday, July 29, 2014 12:23 PM
    Thursday, May 29, 2014 3:10 AM
    Moderator
  • Hi,

    I just want to confirm what is the current situation.

    Please feel free to let us know if you need further assistance.

    Regard.


    Vivian Wang

    Monday, June 2, 2014 7:44 AM
    Moderator
  • Will try some of the suggestions today and let everyone know.
    Wednesday, June 4, 2014 2:08 AM
  • Hi,

    I just want to confirm what is the current situation.

    Regards.


    Vivian Wang

    Saturday, June 7, 2014 5:05 AM
    Moderator