PowerShell: List all non-system Service Accounts in A Windows Domain

During a recent security exercise, I needed to validate all of the admin created service accounts in use on a customer’s Windows domain. The only problem was the total lack of trust in the documentation. In order to check them, I would first have to find the service accounts across dozens of customer environments.

Surely Microsoft included a method to acquire the data I needed? I mean, it’s their recommendation to review the accounts in the first place. So, I’ll just fire up the domain service account console. Yeah, right, you are on your own.

Some of my co-workers had resorted to logging on to each server one at a time, but I had way too many for a manual search. Of all the skills that I have invested my time into learning, none have paid off like knowing PowerShell. Run the script below from a DC or system with the RSAT AD modules installed. Use a Domain Admin account in an elevated PowerShell console. It will find all of the Windows servers in the domain and list the services that are automatically starting with a named account.

$ErrorActionPreference = "SilentlyContinue"
 
Import-Module ActiveDirectory 

$domains = (Get-ADForest).domains
$dcs = Foreach ($domain in $domains) {
    Get-ADDomainController -DomainName $domain -Discover -Service PrimaryDC
}
$servers = Foreach ($dc in $dcs) {
    Get-ADComputer -Properties * -Filter {(OperatingSystem -like "*Windows Server*")}| Select-Object DNSHostName -ExpandProperty DNSHostName
}

Foreach ($Server in $Servers) { 
    Get-WmiObject -Class win32_service -ComputerName $Server -Property SystemName, Name, StartMode, StartName, State | 
    Select-Object SystemName, Name, StartMode, StartName, State | 
    Where-Object {($_.startmode -like "auto") -and ($_.startname -NotLike "*NT Auth*") -and ($_.startname -Notlike "*Local*") -and ($_.startname -Notlike $null)} |
    Format-Table -AutoSize
}