You could list them and have a look.
https://devblogs.microsoft.com/scripting/the-scripting-wife-uses-powershell-to-find-service-accounts/
--please don't forget to Accept as answer if the reply is helpful--
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
there are a couple of accounts like cluster, Rep, Scheduler in Active directory ( win server 2016). how can I find out if they are being used for any services?
You could list them and have a look.
https://devblogs.microsoft.com/scripting/the-scripting-wife-uses-powershell-to-find-service-accounts/
--please don't forget to Accept as answer if the reply is helpful--
I already ran the command but I only see these two StartNames for different Services:
StartName : LocalSystem
StartName : NT AUTHORITY\LocalService
Hello @el ma ,
Thank you for posting here.
We can try to run the command on every machine that may run these service accounts, then check if we can find all the service account you want.
Or we can check if we can see event ID 4771 (Kerberos authentication) for accounts like cluster, Rep, Scheduler or event ID 4776 (NTLM authentication) for accounts like cluster, Rep, Scheduleron DCs security logs.
For Kerberos authentication, both authentication success and authentication failure is the same event ID 4771, but the information is not the same.
For NTLM authentication, both authentication success and authentication failure is the same event ID 4776, but the information is not the same.
Hope the information above is helpful.
Best Regards,
Daisy Zhou