Domain Service Accounts Report

This task will:

Audit services from Windows servers found in Active Directory
Find which services use a domain account
Audit each domain service account from Active Directory
Report on passwords that are old, expired, or approaching expiry

Playbook Files

Requires PPA version 2.10.0 or newer

plugins:
  active_directory: ^7
  hashicorp_vault: ^5
  ppa: ^6
  ppa_tools: ^6
  windows_server: ^7.0


set:
  # These values can be changed.
  expiring_soon_days: 30
  use_ssl: true
  validate_cert: true

  # These values should not be changed.
  connection_failures: []
  domain_services: []
  service_accounts: []
  missing_accounts: []
  old_passwords: []
  expiring_soon: []
  expired: []
  all: []


steps:

  - name: Greeting
    actions:

      - ppa.ui.output_markdown:
          doc: >
            {{ globals.icons.active_directory.full }}


            #### Active Directory - Audit Domain Service Accounts


            This task will:


            - Audit services on Windows servers found in Active Directory


            - Find which services use a domain account


            - Check the password health of each domain service account


            You will need to:


            - Select one or more Windows servers


            - Pick a service account report to view

      - ppa.ui.input_accept:
          text: Start


  - name: Get Secrets
    actions:

      - hashicorp_vault.key_value.read_secret_keys:
          secret: active_directory
          keys:
            - name: address
            - name: domain
            - name: username
            - name: password
              sensitive: true
          create_missing: true
          reason: Getting Active Directory details
        save: domain_controller


  - name: Get Computers
    actions:

      - ppa.ui.output_progress:
          text: Finding servers in Active Directory...
          percent: null
          element_id: auditing_servers

      - active_directory.computers.search:
          search_params:
            operatingSystem: '*Server*'
        load:
          domain_controller: domain_controller
        save: search_result

      - ppa.ui.output_progress:
          text: Found {{ search_result.total }} servers in Active Directory
          percent: 100
          element_id: auditing_servers

      - active_directory.computers.select:
          text: Select Servers
          minimum: 1
        load:
          computers: search_result.all
        save: server_selection


  - name: Audit Services
    for_each:
      items: server_selection.all
      name: server
      skip: skip_server
    when: server_selection.total > 0
    actions:

      - ppa.ui.output_progress:
          text: Finding services using a domain account on {{ server.cn }}...
          percent: null
          element_id: auditing_{{ server.cn }}

      - ppa_tools.dictionaries.create:
          username: '{{ domain_controller.username }}@{{ domain_controller.domain }}'
        load:
          address: server.dNSHostName
          password: domain_controller.password
          use_ssl: use_ssl
          validate_cert: validate_cert
        save: windows_server

      - windows_server.services.get_using_domain_account:
        load:
          domain: domain_controller.domain
          windows_server: windows_server
        save: services
        rescue:
          - ppa.ui.output_progress:
              text: Failed to audit services on {{ server.cn }}
              percent: 0
              element_id: auditing_{{ server.cn }}

          - ppa.ui.output_error:
              text: Failed to audit services on {{ server.dNSHostName }} due to a NetBIOS configuration error, please view the logs for more information.
            when: rescue.type == "NoNetBiosName"

          - ppa_tools.lists.append:
            load:
              items: connection_failures
              value: server
            save: connection_failures
            when: rescue.type == "NetworkError"

          - set:
              name: skip_server
              value: true
            when: rescue.type == "NetworkError" or rescue.type == "NoNetBiosName"

          - ppa.ui.output_error:
              text: 'Failed to audit services on {{ server.dNSHostName }}: {{ rescue.error }}'
            when: rescue.type != "NetworkError" and rescue.type != "NoNetBiosName"

          - exit:
              exit_code: 3
            when: rescue.type != "NetworkError" and rescue.type != "NoNetBiosName"

      # Loop over every service dictionary and insert the name of the server it was
      # found on. This is used later when various tables are displayed.
      - ppa_tools.dictionaries.insert:
          name: server_name
        load:
          value: server.cn
          dictionary: service
        for_each:
          items: services
          name: service
        save: services
        when: not skip_server and services != []

      - ppa_tools.lists.combine:
        load:
          first: domain_services
          second: services
        save: domain_services
        when: not skip_server

      - ppa.ui.output_progress:
          text: Found {{ services | length }} service(s) using a domain account on {{ server.cn }}
          percent: 100
          element_id: auditing_{{ server.cn }}
        when: not skip_server


  - name: Display Connection Failures
    when: connection_failures
    actions:

      - ppa.ui.output_markdown:
          doc: >
            ### Connection Errors


            PPA failed to audit {{ connection_failures | length }} server(s) due to connectivity issues.


            Ensure PPA's DNS configuration can resolve the computer names to IP addresses.


            If WinRM is enabled on these servers, you can update the connection settings at the top of the playbook.


            The playbook is currently using **{{ 'HTTPS** (port 5986)' if use_ssl else 'HTTP** (port 5985)' }} _{{ 'with' if validate_cert else 'without' }}_ certificate validation.


      - ppa.ui.input_confirm:
          text: View Affected Servers?
        save: view_connection_failures

      - active_directory.computers.display:
          text: Affected Servers
        load:
          computers: connection_failures
        when: view_connection_failures

      - ppa.ui.input_accept:
          text: Next
        when: view_connection_failures


  - name: Count Services
    actions:

      - count:
        load:
          item: domain_services
        save: service_count


  - name: Exit If No Services
    when: service_count == 0
    actions:

      - ppa.ui.output_info:
          text: No services that use a domain account were found on the selected servers.

      - exit:
          exit_code: 0


  - name: Find Accounts In Active Directory
    for_each:
      items: domain_services
      name: service
    actions:

      - set:
          name: account_missing
          value: false

      - ppa.ui.output_progress:
          text: Finding domain service accounts in Active Directory...
          percent: null
          element_id: find_accounts
        when: step_counter == 1

      - set:
          name: account_name
          value: >
            {{ service.start_name.split('\\').1 if '\\' in service.start_name else service.start_name.split('@').0 }}

      - active_directory.users.by_samaccountname:
        load:
          sAMAccountName: account_name
          domain_controller: domain_controller
        save: service_account
        rescue:
          - ppa_tools.lists.append:
            load:
              items: missing_accounts
              value: service
            save: missing_accounts
            when: rescue.type == "NoUserFound"

          - set:
              name: account_missing
              value: true
            when: rescue.type == "NoUserFound"

          - ppa.ui.output_error:
              text: 'Failed to find service account {{ account_name }} in Active Directory: {{ rescue.error }}'
            when: rescue.type != "NoUserFound"

          - exit:
              exit_code: 3
            when: rescue.type != "NoUserFound"

      - ppa_tools.dictionaries.create:
        load:
          account: service_account
          service: service
        save: service_account
        when: not account_missing

      - ppa_tools.lists.append:
        load:
          items: service_accounts
          value: service_account
        save: service_accounts
        when: not account_missing

      - ppa.ui.output_progress:
          text: Found {{ service_accounts | length }} domain service accounts in Active Directory
          percent: 100
          element_id: find_accounts
        when: step_counter == service_count


  - name: Display Missing Accounts
    when: missing_accounts

    actions:
      - ppa.ui.output_error:
          text: Found {{ missing_accounts | length }} services whose accounts could not be found in Active Directory!

      - windows_server.services.display:
          text: Services with missing accounts
        load:
          services: missing_accounts

      - ppa.ui.input_accept:
          text: Next


  - name: Count Present Accounts & Establish Maximum Password Age
    actions:

      - count:
        load:
          item: service_accounts
        save: service_account_count

      - active_directory.domain.maximum_password_age:
        load:
          domain_controller: domain_controller
        save: maximum_password_age

      - ppa.ui.output_error:
          text: The domain does not have a maximum password age set!
        when: not maximum_password_age

      - ppa.ui.output_info:
          text: A minimal service account password report will be generated.
        when: not maximum_password_age

      - ppa.ui.input_accept:
          text: OK
        when: not maximum_password_age


  - name: Generate Basic Password Statistics (No Maximum Password Age)
    when: not maximum_password_age and service_accounts != []
    for_each:
      items: service_accounts
      name: current_account
    actions:

      - ppa.ui.output_progress:
          text: Generating basic service account password report...
          percent: null
          element_id: generate_basic

      - ppa_tools.dictionaries.create:
          password_age: '{{ current_account.account.password_age.days }} days, {{ current_account.account.password_age.hours }} hrs, & {{ current_account.account.password_age.minutes }} mins'
          password_expiry: N/A
        load:
          account_name: current_account.account.sAMAccountName
          service_name: current_account.service.name
          server_name: current_account.service.server_name
          password_last_set: current_account.account.pwdLastSet
        save: service_account_stats

      - ppa_tools.lists.append:
        load:
          items: old_passwords
          value: service_account_stats
        save: old_passwords
        when: current_account.account.password_age.days > 90

      - ppa_tools.lists.append:
        load:
          items: all
          value: service_account_stats
        save: all

      - ppa.ui.output_progress:
          text: Generated basic service account password report
          percent: 100
          element_id: generate_basic


  - name: Get Service Account Password Statistics
    for_each:
      items: service_accounts
      name: current_account
    when: maximum_password_age
    actions:

      - ppa.ui.output_progress:
          text: Getting service accounts password age & expiry data...
          percent: null
          element_id: generate_password_report
        when: step_counter == 1

      - active_directory.users.get_password_expiry:
        load:
          distinguishedName: current_account.account.distinguishedName
          maximum_password_age: maximum_password_age
          domain_controller: domain_controller
        save: password_expiry

      - ppa_tools.dictionaries.create:
          password_age: '{{ current_account.account.password_age.days }} days, {{ current_account.account.password_age.hours }} hrs, & {{ current_account.account.password_age.minutes }} mins'
          password_expiry: '{{ password_expiry.days }} days, {{ password_expiry.hours }} hrs, & {{ password_expiry.minutes }} mins'
        load:
          account_name: current_account.account.sAMAccountName
          service_name: current_account.service.name
          server_name: current_account.service.server_name
          password_last_set: current_account.account.pwdLastSet
        save: service_account_stats

      - ppa_tools.lists.append:
        load:
          items: expiring_soon
          value: service_account_stats
        save: expiring_soon
        when: password_expiry.total_seconds > 0 and password_expiry.days < expiring_soon_days

      - ppa_tools.lists.append:
        load:
          items: old_passwords
          value: service_account_stats
        save: old_passwords
        when: password_expiry.total_seconds > 0 and current_account.account.password_age.days > 90

      - ppa_tools.lists.append:
        load:
          items: expired
          value: service_account_stats
        save: expired
        when: password_expiry.total_seconds < 0

      - ppa_tools.lists.append:
        load:
          items: all
          value: service_account_stats
        save: all

      - ppa.ui.output_progress:
          text: Got service accounts password age & expiry data
          percent: 100
          element_id: generate_password_report
        when: step_counter == service_account_count


  - name: Display Markdown Summary
    actions:

      - count:
        load:
          item: connection_failures
        save: connection_failure_count

      - set:
          name: maximum_password_age_display
          value: '{{ maximum_password_age.days }} days, {{ maximum_password_age.hours }} hrs, & {{ maximum_password_age.minutes }} mins'
        when: maximum_password_age

      - set:
          name: maximum_password_age_display
          value: 'N/A _(no maximum password age configured)_'
        when: not maximum_password_age

      - ppa.ui.output_markdown:
          doc: >
            ## Domain Service Accounts



            ### Audit Summary


            - **Domain:** {{ domain_controller.domain }}



            - **Servers Audited:** {{ server_selection.total - connection_failure_count }}



            - **Services Using Domain Account:** {{ service_count }}



            - **Maximum Password Age:** {{ maximum_password_age_display }}



            ### Service Account Health



            - **Expired Passwords:** {{ expired | length if maximum_password_age else 'N/A _(no maximum password age configured)_' }}



            - **Passwords Older Than 90 days:** {{ old_passwords | length }}



            - **Password Expiring Within {{ expiring_soon_days }} Days:** {{ expiring_soon | length if maximum_password_age else 'N/A _(no maximum password age configured)_'  }}



            - **Deleted Accounts:** {{ missing_accounts | length }}



            _Note: These figures are the number of services, not the number of service accounts._


  - name: Select Report
    actions:

      - ppa.ui.input_choice:
          text: Select Report
          options:
            All Service Accounts: all
            Passwords older than 90 days: old_passwords
            Expired passwords: expired
            Passwords expiring soon: expiring_soon
        save: selected_report
        when: maximum_password_age

      - ppa.ui.input_choice:
          text: Select Report
          options:
            All Service Accounts: all
            Passwords older than 90 days: old_passwords
        save: selected_report
        when: not maximum_password_age


  - name: Display Expired Passwords
    when: selected_report == "expired"
    actions:

      - ppa.ui.output_info:
          text: There are no domain service accounts with expired passwords.
        when: not expired

      - exit:
          exit_code: 0
        when: not expired

      - ppa.ui.output_error:
          text: Found {{ expired | length }} service account(s) with an expired password!

      - ppa_tools.generate.table_from_dictionaries:
          header:
            - Service
            - Account
            - Server
            - Password Age
            - Password Last Set
          keys:
            - service_name
            - account_name
            - server_name
            - password_age
            - password_last_set
        load:
          dictionaries: expired
        save: table

      - ppa.ui.output_table:
          text: Service Accounts with Expired Passwords
        load:
          header: table.header
          rows: table.rows


  - name: Display Soon To Expire Passwords
    when: selected_report == "expiring_soon"
    actions:

      - ppa.ui.output_info:
          text: There are no domain service accounts with passwords expiring within {{ expiring_soon_days }} days.
        when: not expiring_soon

      - exit:
          exit_code: 0
        when: not expiring_soon

      - ppa.ui.output_error:
          text: Found {{ expiring_soon | length }} service account(s) with a password expiring within {{ expiring_soon_days }} days!

      - ppa_tools.generate.table_from_dictionaries:
          header:
            - Service
            - Account
            - Server
            - Password Age
            - Password Last Set
            - Password Expires In
          keys:
            - service_name
            - account_name
            - server_name
            - password_age
            - password_last_set
            - password_expiry
        load:
          dictionaries: expiring_soon
        save: table

      - ppa.ui.output_table:
          text: Service Accounts with Passwords Expiring Soon
        load:
          header: table.header
          rows: table.rows

  - name: Display Soon To Expire Passwords
    when: selected_report == "old_passwords"
    actions:
      - ppa.ui.output_info:
          text: There are no domain service accounts with passwords older than 90 days.
        when: not old_passwords

      - exit:
          exit_code: 0
        when: not old_passwords

      - ppa.ui.output_error:
          text: Found {{ old_passwords | length }} service account(s) with a password older than 90 days!

      - ppa_tools.generate.table_from_dictionaries:
          header:
            - Service
            - Account
            - Server
            - Password Age
            - Password Last Set
            - Password Expires In
          keys:
            - service_name
            - account_name
            - server_name
            - password_age
            - password_last_set
            - password_expiry
        load:
          dictionaries: old_passwords
        save: table

      - ppa.ui.output_table:
          text: Service Accounts with Passwords Older Than 90 Days
        load:
          header: table.header
          rows: table.rows


  - name: Display All
    when: selected_report == "all"
    actions:

      - ppa_tools.generate.table_from_dictionaries:
          header:
            - Service
            - Account
            - Server
            - Password Age
            - Password Last Set
            - Password Expires In
          keys:
            - service_name
            - account_name
            - server_name
            - password_age
            - password_last_set
            - password_expiry
        load:
          dictionaries: all
        save: table

      - ppa.ui.output_table:
          text: All Service Accounts
        load:
          header: table.header
          rows: table.rows

Running this Playbook

Click download playbook
Import the downloaded file via the Playbooks page on PPA
Build the playbook from the Edit & Build tab
Run the playbook from the Preview & Deploy tab

* Requires PPA v2.9.x or newer

Integrations

PPA User Interface
Hashicorp Vault Key-Value engine
Windows Server Domain & Services
Active Directory Domain, Computers & Users

Domain Maximum Password Age

This task uses the maximum password age configured in Active Directory to calculate password expiries.

If there is no maximum password age configured, a minimal report will be generated instead.

Required Vault Details

Active Directory

IP/DNS address of a Domain Controller
Domain FQDN
Username
Password

The Active Directory credentials require the permission to audit services on domain servers, & users in Active Directory.

Vault Configuration Wizard

The first time you run a task built from this playbook, PPA will check the required Vault details exist.

If they don't exist, PPA will ask you to supply the details at the start of the task.

Below you can see a user providing details the first time they run an Active Directory task.

vault-config-wizard

Once the details are added to Vault, the task won't ask for them again.

If you don't know the required details, ask an administrator to run the task or configure Vault manually.

What the Task Does

Once started, this task will:

Find all servers in Active Directory
Allow the Task Operator to select one or more servers
Audit services that use a domain account from each server
Check the password health of each service account in Active Directory
Present a summary of password health & ask the task operator which accounts to display

Powershell Remoting (WinRM)

This task uses Powershell Remoting over WinRM to connect to Windows Servers & audit services.

See this Microsoft article for more information on how to securely enable WinRM.

Connection Settings

By default this playbook will:

Use SSL when connecting to the Windows server
Validate the Windows server certificate

You can change these settings on lines 10 & 11 of the playbook:

  use_ssl: true
  validate_cert: true

See our other playbooks

Get PPA for free!

Start automating your estate with a free 30 day trial today. No signup required!

Get PPA Express

Documentation

Installation Guide
See how easy it is to get started with our installation guide
Playbooks
View our task writing reference guide
Plugins
See how to integrate with different systems using our plugins reference guide.