Trying to find Service accounts

New Contributor

I am not very good at Powershell (yet) and I was tasked with finding all the service accounts in our Active Directory. Once I have a list I need to find the last time it was used to logon and clear out the old accounts. I can't figure out how to gather the accounts. I have tried the Get-ADServiceAccounts with different settings but can't get it to find the accounts. It seems like it should be easy but....

 

Any help would be appreciated!

3 Replies

@Chris Ruebel 

 

What have you tried?

 

This should get you started:

Get-ADServiceAccount - Filter * -SearchScope Subtree

 

This will grab all the service accounts in your domain.

Your AD domain's distinguished name can be obtained from:

(Get-ADDomain).DistinguishedName

 

 

 

 

@Darrick 

 

Thanks for the reply - where would the Distinguished name fit into the command? Lets say my distinguished name is DC=Contoso, DC=Com

@Chris Ruebel 

 

The distinguished name can be used in the cmdlet like so:

Get-ADServiceAccount -SearchBase (Get-ADDomain).DistinguishedName

 

The -SearchBase parameter accepts a distinguished name syntax e.g. "CN=blah, OU=blah, dc=domain, dc=domain" This provides a means of targeting your search at a know starting point instead of the entire directory.

 

Use the -SearchScope parameter to specify how deep the search should go; Base, OneLevel, Subtree

 

Ex: Get-ADServiceAccount -Filter * -SearchScope Base

Ex: Get-ADServiceAccount -SearchBase (Get-ADDomain).DistinguishedName -SearchScope Base

Ex: Get-ADServiceAccount -Filter * -SearchScope Subtree

Ex: Get-ADServiceAccount -SearchBase (Get-ADDomain).DistinguishedName -SearchScope Subtree

Note the results.

 

Review the documentation here:

https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-adserviceaccount?view=win1...

https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-addomain?view=win10-ps