HOWTO: Find All Exchange Service Accounts in Active Directory


A lot of data breaches start with attacks on privileged service accounts. Finding out where Exchange service accounts in Active Directory are being used is an important step in proactive security lockdown of your corporate network.

Action1 is a free Cloud-based Endpoint Security Platform. Among hundreds of other built-in features, it allows to automate the discovery of Exchange service accounts in Active Directory. After the discovery is done, you can manage service account passwords and perform other maintenance operations. This article explains how to list Exchange service accounts using Action1 to find service accounts in domain and also shows how to list service accounts from command line for organizations that are not able to utilize Action1 in their environments.



Manually:

1. Run WMI query in ROOT\CIMV2 namespace:

   - Start WMI Explorer or any other tool which can run WMI queries.
   - Run WMI query: SELECT * FROM Win32_Service

2. Run wmic command-line interface:

   - Press WIN+R
   - Type "wmic", press Enter
   - In wmic command prompt type: /node:RemoteComputerName service

3. Run Powershell script:

   - thru WMI object: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Computer RemoteComputerName

4. Select specific columns:

   - run: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Computer RemoteComputerName | Select-Object DisplayName, Started, StartMode, StartName, PSComputerName

5. Sort results:

   - run: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Computer RemoteComputerName | Select-Object DisplayName, Started, StartMode, StartName, PSComputerName | Sort-Object DisplayName

6. Filter results:

   - run: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Computer RemoteComputerName | Select-Object DisplayName, Started, StartMode, StartName, PSComputerName | Where-Object -FilterScript {$_.DisplayName -like "*Exchange*"}

7. Save to CSV file:

   - run: Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Computer RemoteComputerName | Select-Object DisplayName, Started, StartMode, StartName, PSComputerName | Export-CSV "c:\file.csv" -Append -NoTypeInformation

8. Query multiple computers:

   - computers from a text file: Get-Content -Path c:\computers.txt | ForEach-Object {Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Computer $_}
   - computers from AD domain: Get-ADComputer -Filter {OperatingSystem -Like “Windows 10*”} | ForEach-Object {Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Computer $_.Name}

With Action1 Endpoint Security Platform:

Step 1 - Sign-up for free:

 

Step 2 - Type your question in plain English:

Step 3 - Set filters, if necessary:

Step 4 - See results from all endpoints in seconds:

Endpoint NameDisplay NameStartedUser NameState
mac.widgets.localSQL ServerTrueWIDGETS\sql1Running
fred.widgets.localMS ExchangeTrueWIDGETSxchRunning
ray.widgets.localFile BackupFalseWIDGETS\b1Stopped

Do not have time to write scripts? Check out Action1 Endpoint Security Platform. Ask questions in plain English such as "list of installed software" or "all running processes".
Get answers instantly from live systems or subscribe to real-time alerts:


When exposed, privileged service accounts can substantially widen your network’s cyberattack surface. A very common typical set-it-and-forget-it service account management practice of never changing service account passwords can lead to major data breaches and other security incidents. According to many security best practices and standards, it’s recommended to change accounts passwords every 90 to 180 days. This can become a very tedious task, if you have hundreds of systems each running a few services and don’t have a good documentation about account usage (which is most organizations don’t have, unfortunately). Most recent versions of Windows Server also have a concept of managed service accounts, however their adoption by a lot of organizations has yet to be seen and the it’s quite complicated. With that being said, one practical way of managing service account security is to continuously maintain an inventory of all services across your Active Directory network, which domain accounts they use (non-built-in accounts) and change their passwords from time to time. And don’t forget to update the account information in service settings, to avoid service account login failures.


Other Relevant HOWTOs: