I find myself in the situation where I have a super user account that can basically do everything in the domain and is set to run scheduled tasks, windows services and websites.
I have inherited this situation (I understand this is very bad practice) and have to eliminate this super user account and replace it by an account per application.
So my task is to first map
- where this account is used (for example to run Service X on Server Y)
- what folders/files it tries to access
Once I have this mapped out I will create many account that only have access to the required folders/files
For example,
Super account runs windows service X on server Y and writes to folder Z windows service A on server B and write to folder CIs replaced by
New Account 1 runs windows server X and has write access to folder Z New Account 2 runs windows server A and has write access to folder CThere are many servers (20+) in the domain which have to examined so my specific question is on how to automate this.
I’m a developer so am a bit green when it comes to sysadmin tasks. I wanted to give a nice bounty on this question but can’t transfer my stackoverflow reputation. Hope you can help me out nevertheless.
Answer
Well, unfortunately for you, you can’t really automate this. There’s no ~all the places this account is used function or attribute, so there’s a large degree of manual effort involved in ferreting out that information.
Event Logs can be helpful, usually with the assistance of audit-level logging, which can be set for individual files and folders as well as for account logon events, and both can be set by Group Policy (so you don’t have to make the changes on every system you wish to monitor). For that matter, just about anything can be set to audit-level logging, but logon activity and file/folder access are generally the most useful that I’ve found in tracking down where all a given account is used.
If you really want to make your life easier, after setting your logging policies, set up event forwarding so that all the events you’re interested in get forwarded to a single location (so you no longer have to hunt them down on each server individually).
The SysInternals suite is also very useful (ProcMon and ProcExplorer in particular) if you’re trying to track currently running processes, rather than just collecting logs and waiting for a process to start up, and many of the other tools will be useful in tacking down what all the account in question has access to… which is usually in a good start in trying to determine what all it actually does.
Oh, and check the scheduled tasks on all your servers. Maybe you get lucky and find that all the things this “everything service/administrator account” does are through the scheduled tasks on your servers. (Not likely, but you need to check there anyway.)
Beyond that, though, you’re really relegated to doing something of a “scream test.” Find the services, processes and scripts you can, move those over to being run by a proper service account, and then disable the “everything service/administrator account.” See what breaks. Again, your logs should be helpful, as anything that’s still trying to use the account will pop up with failure audits in a security log somewhere. Enable the account again while you fix whatever broke. Repeat as needed. And remember that there’s a potential for some uses to happen at long time intervals (some maintenance task that runs once a month, for example), so it’ll be a while before you can declare success and put this all behind you.
If this sounds like a time-consuming pain-in-the-ass, that’s because it is. In your shoes, I’d use it to convince the boss to hire/contract a junior administrator to do this work for me, and as an argument to why proper standards and actual administrators are needed. There’s really very little sense in having a senior resource or a development resource (at their high effective hourly wages) do the kind of log-reading and basic administrative stuff that basically anyone can do for $10/hour.
Attribution
Source : Link , Question Author : buckley , Answer Author : HopelessN00b
