Finding domain account on network

Hi all,
I am having an issue finding an AD account that maybe running on pcs and servers in our domain. I am trying to find a script or suggestion to have something look for this account while doing it passively to avoid interruption. I have used a powershell script but it seems to not be working as intended and or its not finding what I am looking for. This account could be used under services and other things on the network. Any help is appreciated!

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

PCTechLinc

If you have access to a DC and its Event Log, then you will be able to associate the AD account with the computer that is authenticating, reading through the Security Log in Event Viewer. Keep in mind that if you have multiple DC's, it will not be 100% accurate, as that information is not stored in the ntds.dit file.

I am in no way a scripting guru, but if you do a search for "query domain controller user computer" you will get many different options that have worked for other people.

kaiju

Did you try Get-ADServiceAccount?

NetworkNewb

If you want to find where it is logged in to you could write a script that uses "quser /server:COMPUTERNAME" and have it loop through all the computers on your network (I'd probably grab all the computer names from Active Directory) and look at the USERNAMEs it finds and notify when it finds the one you are looking for.

Not sure if that is helpful, but it is where I would start if I needed to find one on a random network. I don't have a script like that written since I would just check the SIEM tool at my place.