Active Directory service account

el ma 1 Reputation point
2021-02-03T18:49:22.47+00:00

there are a couple of accounts like cluster, Rep, Scheduler in Active directory ( win server 2016). how can I find out if they are being used for any services?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,733 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Anonymous
    2021-02-03T19:00:44.673+00:00

    You could list them and have a look.
    https://devblogs.microsoft.com/scripting/the-scripting-wife-uses-powershell-to-find-service-accounts/

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  2. el ma 1 Reputation point
    2021-02-03T19:07:31.307+00:00

    I already ran the command but I only see these two StartNames for different Services:

    StartName : LocalSystem

    StartName : NT AUTHORITY\LocalService

    0 comments No comments

  3. Daisy Zhou 26,401 Reputation points Microsoft Vendor
    2021-02-04T05:37:00.257+00:00

    Hello @el ma ,

    Thank you for posting here.

    We can try to run the command on every machine that may run these service accounts, then check if we can find all the service account you want.

    Or we can check if we can see event ID 4771 (Kerberos authentication) for accounts like cluster, Rep, Scheduler or event ID 4776 (NTLM authentication) for accounts like cluster, Rep, Scheduleron DCs security logs.

    For Kerberos authentication, both authentication success and authentication failure is the same event ID 4771, but the information is not the same.
    For NTLM authentication, both authentication success and authentication failure is the same event ID 4776, but the information is not the same.

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.