none
Mapping Service Accounts to Services without SPN mapping RRS feed

  • Question

  • Hello Team, 

    I have a requirement where i would need to Map Windows Service Accounts to the Services they use when they logon to a particular application . We are basically trying to do a Clean up activity of the Service Accounts and not sure which service account uses what application within the infrastructure . 

    Requirement 

    65 Applications within the Infrastructure that needs to be mapped to the Service Accounts that uses it . I know i can pull out all the service accounts on power shell , The question is can i map these service accounts to the application services that they use ? 

    Regards

    K_Sundar

    Sunday, July 21, 2019 12:55 AM

All replies

  • What can you mean by "mapping an application". " Applications" are not associated with accounts.  "Applications" are just executables that run under an account that starts them. There is no association until they are run by an account. There is no way to assign an accountot an application. Yoy can set a security descriptor that restricts which accounts are allowed to run an app or use GP to restrict apps.


    \_(ツ)_/

    Sunday, July 21, 2019 1:37 AM
    Moderator
  • Thanks a lot for the response . 

    ""Applications" are just executables that run under an account that starts them"

    How do output this to find out which executable s are run by which account ? 

    Regards

    ka_Sundar


    Sunday, July 21, 2019 2:45 AM
  • You can't. I recommend that you learn the basics of operating systems and Windows. That is the only way for you to understand this.


    \_(ツ)_/

    Sunday, July 21, 2019 2:49 AM
    Moderator
  • Fair Enough :) 

    Let me be more specific , cause i am surely not here to to compete with the responses. 

    i have 100 service accounts and i need to find out what are the startup executable these 100 service accounts use . 

    Example : if i have a putty.exe as one of the applications . Is there way to know what service accounts use Putty.exe ? Possibly a stupid question but trying to actually know if its anyway possible . 

    Regards

    Karthik R Sundar 

    Sunday, July 21, 2019 3:34 AM
  • There is no sch thing as what you are asking and there is no direct way to know what accounts can run which applications.

    A service account is any account used to run a service.  "putty" is NOT a service it is an application.  Anyone with access to that application can run it. 

    What you are asking makes absolutely no technical sense. 

    This forum is for trained computer technicians and not for end users.  I recommend hiring a consultant to help you understand this and to discover what you are trying to do an why.


    \_(ツ)_/

    Sunday, July 21, 2019 3:42 AM
    Moderator
  • This is possible 

    Thank you 

    blogs.technet.microsoft.com/isrpfeplat/2012/01/02/powershell-get-serviceaccountusage/

    Sunday, July 21, 2019 9:00 AM
  • That is not what you asked for. That gets the accounts used for services and scheduled tasks. You ask for how to find applications that were using service accounts.

    If you had used accurate names and had not insisted on applications we might have been able to understand what you wanted.

    The blog described how to return the accounts used for tasks and services.  It has noting to do with SPNs or service accounts.  ANy account can be used for a service or a task.


    \_(ツ)_/

    Sunday, July 21, 2019 10:57 AM
    Moderator
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Wednesday, July 31, 2019 7:10 AM
    Moderator