Finding a Service’s Authentication ID

At work, us Administrators are considered prima donnas. And most of the time we accept that and will even admit to it. We like things a certain way and we tend to also get set in our ways. Recently the company hired a new VP of a department that promotes a more secure environment to work in. To protect the guilty, I’ll not use his name, so instead I’ll refer to him as Satan. *smirk* Satan has good intentions in the long run but has the social and personality skills of a pissed off bull. He has no professional courtesy nor does he wish to. Now I will also note that anyone in his position will always be considered the ‘bad guy’ but I think he really enjoys the title more than actually just accepting it as a side effect of his profession.

I say all of that to say this: We, the prima donna group have been in the habit of not changing our passwords as regularly as we should, and in cases where our bosses and end users beat us into submission about getting something to work “no matter how it’s done”, we’ve made some bad practices over the years. Such as…. running a service, scheduled task, or mapping a drive with our own credentials. Well without warning Satan decided to enforce the company policies in the middle of a work day and force a company wide password change, which under most circumstances wouldn’t be so bad… however, this broke a lot of things that people have forgotten about for years. (ie. a Service that’s been running under ‘Johnsmith’ for the last 28 months. The key point in this was “WITHOUT WARNING”, none. He is 100% correct in enforcing the rule but professional courtesy should have given us a day or two’s heads up about it so we can prepare.

Either way, I scrambled to make sure none of my servers were affected and none were however, others were. I put together this powershell script to at least run through and look for any ID’s that matched the syntax of our standard user ID’s and to kick out a report showing which ones are potential dangers.

# The first section merely defines important variables such as the log that will be written to, date, or time.

/*
$log = "c:\temp\Service_IDs.txt"                            
*/

#The section below looks for the log and if it exists, wipes it and writes a date stamp within the file.

/*
$logexist = Test-Path $log
If ($logexist -eq $true)
{
$date = Get-Date
Write-Output ("The following Information is for Servers on your list: " + ($date))| Out-File $log
Start-Sleep -Seconds 2
}
}
*/

# The section below reads from a list of servers (defined in the $servers variable and loops through each.

/*
$servers = gc "c:\scripts\powershell\servers_prod.txt"
foreach ($server in $servers){
Start-Sleep -Seconds 1
                             }
*/

#This part queries each Service on each server and searches for one who’s account login name matches the [regex] pattern.

/*
$svc=gwmi win32_service -ComputerName $server | Where-Object {$_.startname -match "s*d"}
foreach ($service in $svc){
*/

# The following section actually writes each part to a log in a format that is quicker to understand, filling in variables after each subsection.

/*
"Server: " + ($server) + " | Service Name: " + ($service.Name) + " | Service Account ID: " + ($service.startname) | Out-File -Append $log
}
}
Start-Sleep -Seconds 2
*/

# The last line merely opens the file when it’s done appending.

/*
Invoke-Item $log
*/

* Notice you see (Start-Sleep *) in the file in several locations. This is to keep the script from stepping all over itself. When run without it you will see errors where there is contention between one loop and another. Basically the script is running too fast and one section is still processing while the next one wants access to the file.

** I am by no means good at scripting. I do it on my own for personal and work reasons and am sure to be told by many that there are easier ways to accomplish the same tasks. Feel free to drop me a line or comment.

– Jason

Leave a Reply

Your email address will not be published. Required fields are marked *