One of the things clients ask me about all the time is "How do I find out what service accounts are in use on my servers?"
I can't tell you how many times I've spoken to a customer and they have no idea what accounts are out there running services, and in particular where the Administrator account is being used to run services!
The good thing is that with Active Directory this is pretty easy to get. All you need to do is use the script below to get a nice csv file that contains all of the non-normal service accounts. What is a "non-normal" service account?, you might ask. Anything that is not:
LocalSystem
NT AUTHORITY\LocalService
NT AUTHORITY\Local Service
NT AUTHORITY\NetworkService
NT AUTHORITY\Network Service
The script works by finding all the AD computer objects that have "Server" in their OperatingSystem attribute. Then it checks to see if the server is alive or not, and if it is alive to check the services running on the server using WMI. Once it has the services it will output any service that does not run as one of the normal service accounts. If you have accounts that you considfer "normal" just add them to the $systemservicenames array.
You will see an error in the console if you are running it on a server since the WMI query will balk at using credentials for connecting to the local machine.
Here's the script, please remember to test in your environment before using!
You can also download the source from mu GitHUb page at: https://github.com/mikecessna/ActiveDirectoryScripts/blob/master/find-serviceaccounts.ps1