Home/Toolchest

Service account usage finder

A read-only service account discovery pass for Windows services, scheduled tasks, and IIS application pools.

Good For

  • service account review
  • password rotation planning
  • identity cleanup
  • incident scoping
  • least-privilege audit

How to Use It

  1. Start with a host list from a password rotation, application inventory, or account owner request.
  2. Collect Windows service identities and record service name, display name, run-as account, and state.
  3. Collect scheduled task run-as identities and preserve task path so owners can find the exact task.
  4. On IIS servers, collect application pool identity settings and note custom user names separately from built-in identities.
  5. If the same account appears on unrelated workloads, split the findings by owner before recommending rotation or gMSA migration.
  6. Group findings by account so owners can see every endpoint and workload using the identity.
  7. Use the report to plan rotations, gMSA migration, or decommissioning work through separate change tickets.

Execution Modes

  • local
  • remote-single-host
  • remote-host-list
  • ad-filtered

Inputs and Outputs

Inputs

  • computer name
  • CSV or TXT server list
  • Active Directory computer scope
  • known service account list

Outputs

  • verbose-console
  • csv
  • future-html-report

Command Starter

Safe to run: read-only

Get-CimInstance Win32_Service -ComputerName $ComputerName | Where-Object { $_.StartName -match "\\" -or $_.StartName -like "*@*" } | Select-Object Name, DisplayName, StartName, State
Get-ScheduledTask | Where-Object { $_.Principal.UserId -match "\\" -or $_.Principal.UserId -like "*@*" } | Select-Object TaskName, TaskPath, State, @{Name="RunAs";Expression={$_.Principal.UserId}}
Import-Module WebAdministration; Get-ChildItem IIS:\AppPools | Select-Object Name, @{Name="IdentityType";Expression={$_.processModel.identityType}}, @{Name="UserName";Expression={$_.processModel.userName}}

Validation

  • Every scoped host has service-account evidence or an access/error note.
  • Each discovered identity is mapped to at least one service, task, app pool, or unknown-use bucket.
  • Any later password rotation has owner approval, dependency checks, and a rollback plan.

Reporting

  • export service, task, and app-pool identity usage to CSV
  • group usage by account, server, workload type, and owner
  • promote repeated use into a service-account dependency report

Safety Notes

  • This discovery pass is read-only and should not change service, task, or app-pool identities.
  • Do not rotate, disable, or delete service accounts until dependency owners and rollback paths are confirmed.