So I'm looking to audit ~400-500 service accounts, ran on over 1050 VM servers. The names of these accounts varies but most have "svc" as a prefix.
So far I have:
- Filtered the Scheduled Tasks on each server using WMI for the service account that runs them. (~60% Verified in use)
- Queried the servers for their respective services and the services owners using WMI. (~50% of the remaining unknowns were located)
- Consulted managers of other units and found only a handful were known.
- Discussed auditing the account logins from the PDC but some service accounts may be essential and only log-in once quarterly.
Now I have about less than a hundred completely unknown service accounts. Any ideas where to go from here?