0

I've got an old service account that is attached to an undetermined amount of scheduled tasks and services across 7 or 8 servers.

Unfortunately, this account was created by a previous employee who failed to document the password, so now I need to add more scheduled tasks that relate to this service. I'd really hate to create another service account just for my changes.

Is there something I can use on the domain controller(s) that will log whenever that service account is attempting to authenticate? That way, I'll know what I have to fix whenever I change the password! :)

user47994
  • 413
  • 3
  • 3
  • Aother issue is that more often then not these don't really need to be domain accounts. You may want to reconsider the useage of domain accounts for services\tasks. – tony roth Jul 09 '10 at 21:26

3 Answers3

0

If you have the proper auditing configured, and then use EventCombMT against your DCs, you can do this.

mfinni
  • 36,144
  • 4
  • 53
  • 86
  • the problem with this is that it won't tell you the name of the task/service! – tony roth Jul 09 '10 at 21:23
  • He's not asking for that. I can't think of anything you could do, short of going all the way to manual inspection of each server, to determine which service on which machines this is happening. If he wants that (which is not what he asked for), then he should do a dump of all services on all server and read through the lists to see what account(s) are used on which servers. – mfinni Jul 10 '10 at 02:49
0

with only 7 to 8 servers I'd do the following for services

wmic /node:servername service where "startname like '%domain netbios name%'" get startname,name

do

schtasks /s servername /query /v | findstr /i "domain netbios name"

for the scheduled tasks

tony roth
  • 3,884
  • 18
  • 14
  • This was perfect for my case since I knew which servers would have the account on it as well as the number of servers I had to check. If it were more than 10, I imagine this would call for the EventCombMT method described below. Thanks everyone. – user47994 Jul 12 '10 at 14:00
0

I believe this is the proper auditing you'd want to use. Change the value of the following key to 5(HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering ). This will log every ldap query made against your DC.Below is the KB article explaining the key change and levels of verbosity. I second the use of eventcombMT to actually sort through the logs once you turn this setting on, and be careful since your logs will fill up mighty quick with this enabled.

http://support.microsoft.com/kb/314980

Chris Hupman
  • 184
  • 5
  • I don't think this will provide anything pertinent to the task at hand. The security log on the dc's will record the username and workstation anyway. – tony roth Jul 10 '10 at 00:43