I've got an old service account that is attached to an undetermined amount of scheduled tasks and services across 7 or 8 servers.
Unfortunately, this account was created by a previous employee who failed to document the password, so now I need to add more scheduled tasks that relate to this service. I'd really hate to create another service account just for my changes.
Is there something I can use on the domain controller(s) that will log whenever that service account is attempting to authenticate? That way, I'll know what I have to fix whenever I change the password! :)
If you have the proper auditing configured, and then use EventCombMT against your DCs, you can do this.
with only 7 to 8 servers I'd do the following for services
wmic /node:servername service where "startname like '%domain netbios name%'" get startname,name
do
schtasks /s servername /query /v | findstr /i "domain netbios name"
for the scheduled tasks
I believe this is the proper auditing you'd want to use. Change the value of the following key to 5(HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering ). This will log every ldap query made against your DC.Below is the KB article explaining the key change and levels of verbosity. I second the use of eventcombMT to actually sort through the logs once you turn this setting on, and be careful since your logs will fill up mighty quick with this enabled.
http://support.microsoft.com/kb/314980