Trying to find Service accounts

%3CLINGO-SUB%20id%3D%22lingo-sub-389073%22%20slang%3D%22en-US%22%3ETrying%20to%20find%20Service%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389073%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20not%20very%20good%20at%20Powershell%20(yet)%20and%20I%20was%20tasked%20with%20finding%20all%20the%20service%20accounts%20in%20our%20Active%20Directory.%20Once%20I%20have%20a%20list%20I%20need%20to%20find%20the%20last%20time%20it%20was%20used%20to%20logon%20and%20clear%20out%20the%20old%20accounts.%20I%20can't%20figure%20out%20how%20to%20gather%20the%20accounts.%20I%20have%20tried%20the%20Get-ADServiceAccounts%20with%20different%20settings%20but%20can't%20get%20it%20to%20find%20the%20accounts.%20It%20seems%20like%20it%20should%20be%20easy%20but....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20would%20be%20appreciated!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-389073%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20PowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389407%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20to%20find%20Service%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389407%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F131280%22%20target%3D%22_blank%22%3E%40Chris%20Ruebel%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20distinguished%20name%20can%20be%20used%20in%20the%20cmdlet%20like%20so%3A%3C%2FP%3E%3CP%3EGet-ADServiceAccount%20-SearchBase%20(Get-ADDomain).DistinguishedName%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20-SearchBase%20parameter%20accepts%20a%20distinguished%20name%20syntax%20e.g.%20%22CN%3Dblah%2C%20OU%3Dblah%2C%20dc%3Ddomain%2C%20dc%3Ddomain%22%20This%20provides%20a%20means%20of%20targeting%20your%20search%20at%20a%20know%20starting%20point%20instead%20of%20the%20entire%20directory.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUse%20the%20-SearchScope%20parameter%20to%20specify%20how%20deep%20the%20search%20should%20go%3B%20Base%2C%20OneLevel%2C%20Subtree%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEx%3A%20Get-ADServiceAccount%20-Filter%20*%20-SearchScope%20Base%3C%2FP%3E%3CP%3EEx%3A%20Get-ADServiceAccount%20-SearchBase%20(Get-ADDomain).DistinguishedName%20-SearchScope%20Base%3C%2FP%3E%3CP%3EEx%3A%20Get-ADServiceAccount%20-Filter%20*%20-SearchScope%20Subtree%3C%2FP%3E%3CP%3EEx%3A%20Get-ADServiceAccount%20-SearchBase%20(Get-ADDomain).DistinguishedName%20-SearchScope%20Subtree%3C%2FP%3E%3CP%3ENote%20the%20results.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EReview%20the%20documentation%20here%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faddsadministration%2Fget-adserviceaccount%3Fview%3Dwin10-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faddsadministration%2Fget-adserviceaccount%3Fview%3Dwin10-ps%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faddsadministration%2Fget-addomain%3Fview%3Dwin10-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faddsadministration%2Fget-addomain%3Fview%3Dwin10-ps%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389389%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20to%20find%20Service%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389389%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F256377%22%20target%3D%22_blank%22%3E%40Darrick%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20reply%20-%20where%20would%20the%20Distinguished%20name%20fit%20into%20the%20command%3F%20Lets%20say%20my%20distinguished%20name%20is%20DC%3DContoso%2C%20DC%3DCom%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389325%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20to%20find%20Service%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389325%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F131280%22%20target%3D%22_blank%22%3E%40Chris%20Ruebel%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20have%20you%20tried%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20should%20get%20you%20started%3A%3C%2FP%3E%3CP%3EGet-ADServiceAccount%20-%20Filter%20*%20-SearchScope%20Subtree%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20will%20grab%20all%20the%20service%20accounts%20in%20your%20domain.%3C%2FP%3E%3CP%3EYour%20AD%20domain's%20distinguished%20name%20can%20be%20obtained%20from%3A%3C%2FP%3E%3CP%3E(Get-ADDomain).DistinguishedName%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I am not very good at Powershell (yet) and I was tasked with finding all the service accounts in our Active Directory. Once I have a list I need to find the last time it was used to logon and clear out the old accounts. I can't figure out how to gather the accounts. I have tried the Get-ADServiceAccounts with different settings but can't get it to find the accounts. It seems like it should be easy but....

 

Any help would be appreciated!

3 Replies
Highlighted

@Chris Ruebel 

 

What have you tried?

 

This should get you started:

Get-ADServiceAccount - Filter * -SearchScope Subtree

 

This will grab all the service accounts in your domain.

Your AD domain's distinguished name can be obtained from:

(Get-ADDomain).DistinguishedName

 

 

 

 

Highlighted

@Darrick 

 

Thanks for the reply - where would the Distinguished name fit into the command? Lets say my distinguished name is DC=Contoso, DC=Com

Highlighted

@Chris Ruebel 

 

The distinguished name can be used in the cmdlet like so:

Get-ADServiceAccount -SearchBase (Get-ADDomain).DistinguishedName

 

The -SearchBase parameter accepts a distinguished name syntax e.g. "CN=blah, OU=blah, dc=domain, dc=domain" This provides a means of targeting your search at a know starting point instead of the entire directory.

 

Use the -SearchScope parameter to specify how deep the search should go; Base, OneLevel, Subtree

 

Ex: Get-ADServiceAccount -Filter * -SearchScope Base

Ex: Get-ADServiceAccount -SearchBase (Get-ADDomain).DistinguishedName -SearchScope Base

Ex: Get-ADServiceAccount -Filter * -SearchScope Subtree

Ex: Get-ADServiceAccount -SearchBase (Get-ADDomain).DistinguishedName -SearchScope Subtree

Note the results.

 

Review the documentation here:

https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-adserviceaccount?view=win1...

https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-addomain?view=win10-ps