While Domain Admins is the most commonly used AD admin group, there are several others that could be used.Ĭommon privileged AD groups that may contain Service Accounts:
The following PowerShell commands require the Active Directory PowerShell module.ĭiscover service accounts (user accounts with SPNs): get-aduser -filter -Properties Name,AdminCount,ServicePrincipalName,PasswordLastSet,LastLogonDate,MemberOf Service accounts without SPNs can also be discovered by querying AD accounts for ‘SVC’, or ‘Service’, or common vendor product names. We can discover service accounts by looking for user accounts with Kerberos Service Principal Names (SPNs) which I call SPN Scanning. They are almost always over-privileged due to documented vendor requirements or because of operational challenges (“just make it work”). Service accounts are that gray area between regular user accounts and admin accounts that are often highly privileged.
