We inherited a global network that would create Domain Admin accounts at the drop of a hat for anyone or to run any service.  I have about 20 sites around the globe that did this.

Is there a way I can create a Custom Inventory rule that will inventory all the Logon As account names that are not Local, Serivce, Local System, or Network Serivce?


1 Comment   [ + ] Show Comment


  • If it's one domain, wouldn't it be simpler to create/assign a set of known domain admin (DA) accounts and remove all others? When individuals start whining that they can't do this or that, then have them justify why they need DA rights. Many, many times, it boils down to someone somewhere not doing their homework/discovery properly and deciding that it's just "easier" to give the user DA.
Please log in to comment



Oh, that sucks for you.

Have a look at the link below, you will need some pretty flash scripting foo to pull this off though.


I would start by building the script to do what you need it to do, keeping in mind you will need to used this with a ESD system (like SCCM). God I hope you have a ESD system as it will make your life a lot easier...

After you have bashed out your script, its all about reporting after that...

So thinking about it now I would

  1. Get the scipt to report on what servies wiith a domain account.
    Get that script to output to a share location, get it to name the text file as the computername. Maybe add some fancy text at the start of the file so it will help you out later on.

  2. Since you have all the files in once place, then you can parse all the files for info in a script, if found info you need, then add to another file.

    Tadaaa, cheap ass reporting (:

But yeah, good luck,  you will need it!
Answered 09/28/2013 by: rileyz
Red Belt

Please log in to comment
Answer this question or Comment on this question for clarity