I have a number of domain service accounts that are running with more privileges than they need and I need to reduce their permissions and change all of their passwords.
How can I audit all of the places where a domain service account is used throughout my company?
This is pretty tricky to do. The most effective way is to parse the Security event-log on every domained machine looking for logins by that domain service account. Once you've identified which machines have seen logins you can then hunt up services that may be configured to use them. Parsing event-logs is something you'll want to script unless you have only a few machines.
Unfortunately, Win XP doesn't come with the security log turned on by default (I believe).
Personally I'd run the script from Window Vista/7 or Server 2008. There is a much improved tool for grabbing event-log data,
wevtutil. You can filter for logon events (4624) and dump things in XML for easier parsing.wevtutil qe Security /r:$MachineName /q:"*[System[(EventID=4624)]" > $MachineName-Events.xmlDoing your Domain Controllers first will at least tell you what IP addresses logins are coming from, but doing the entire domain is the only way to be 100% certain.
Searching the Security event log is only going to be useful if logon events are being audited, which I don't believe is enabled by default. You'll need to enable auditing in the Default Domain policy in order to turn on auditing on yor non-DC servers (unless you have an OU and GPO specifically for your servers and you're blocking inheritance or setting the GPO to enforced, then you'll need to edit the applicable GPO). In addition to that, services configured to use domain accounts will be logged in that servers Security log when those services start, not the DC's Security log.
A service configured to use a domain user account will generate an Event ID 528 in the Security event log with Logon Type 5 when the service is started so you can filter the Security event log for Event ID 528 events to narrow the results.
I just verified this in my own environment (I think I did, based on my tests) so I believe this information is correct.
Another item to look at would be the Scheduled Tasks on each server and see if any of them are configured to use any of the service accounts. If so, you'll need to change the passwords on the Scheduled Tasks as well.
To expand on @joeqwerty, I think you sould do better to do an audit of the services and scheduled tasks on all the machines that you care about to see what credentials they use. I'm sure WMI exposes that info, so you could do this with VBS or PowerShell with a few lines and then just run it remotely against your list of machines.
Turning on auditing and trawling through all the event logs seems like more work.