question

DavidHernanEscalierYaiquez-9488 avatar image
0 Votes"
DavidHernanEscalierYaiquez-9488 asked DavidHernanEscalierYaiquez-9488 commented

Users "Domain Admins", see on which servers these users are connected

Hello everybody,

I have to get the users with Domain Admins privileges that are being used on all servers in the domain.

These users have placed them as "service accounts" without any security criteria and I need to modify these accounts and I do not have a list on which servers they are and less on which accounts are.

I hope your help.

Best regards,

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick commented

This tool might help.
https://docs.microsoft.com/en-us/sysinternals/downloads/psloggedon

--please don't forget to Accept as answer if the reply is helpful--



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for you answer,

PsLoggedOn can only be run locally, I have more than 500 servers and it would be better to get them remotely either by a Script

0 Votes 0 ·
DSPatrick avatar image DSPatrick DavidHernanEscalierYaiquez-9488 ·

If you specify a user name instead of a computer, PsLoggedOn searches the computers in the network neighborhood and tells you if the user is currently logged on.




0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DavidHernanEscalierYaiquez-9488 commented

Hello @DavidHernanEscalierYaiquez-9488,

Thank you for posting here.

We can check the members in Domain Admins.
92386-d1.png


Then configure audit policy settings on DC.

GPO: Default Domain Controller Policy

Legacy audit policy:

Computer Configuration\Windows settings\security settings\local policies\audit policy
Audit Account Logon Events – Success and Failure
Audit Account Management - Success and Failure

Or use advanced audit policies (advanced audit policies will overwrite all legacy audit policies by default):

Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration

Account Logon:
Audit Kerberos Authentication Service - Success and Failure
Audit Credential Validation Service - Success and Failure

Account Management:
Audit User Account Management – Success and Failure

After that, if any domain account logs on any domain machine, we can check event ID 4771 or event ID 4776.
From these events, we can try to find the accounts and the server machines.



Tip:
If you have never configured any advanced audit policies before, then please configure traditional audit policies.
If you have configured any advanced audit policy before, then you will configure the advanced audit policy.


For more information, we can refer to links below.
4771(F): Kerberos pre-authentication failed.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771

4776(S, F): The computer attempted to validate the credentials for an account.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776


I am sorry, we are not experts in scripting, here is a Scripting Blog link, there are many sample scripts, you can try to check if any script is helpful to you.

Scripting Blog
https://devblogs.microsoft.com/scripting/tag/active-directory/

And we hope that some experts in scripting can provide you with further help.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.





d1.png (10.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your answer. I have the audit policy enabled, but it's over 200 servers and verifying one by one would take a long time.

0 Votes 0 ·
DavidHernanEscalierYaiquez-9488 avatar image
0 Votes"
DavidHernanEscalierYaiquez-9488 answered

What I am looking for is a Script that can return me which domain users are being used for service services (These accounts are not configured as Account Services, they are normal accounts) and on which services and servers they are running.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.