- Services
- Scheduled Tasks
- IIS App Pools
- Mapped Drives
- Stored Credentials
- SQL Services
You can run this on the target server:
β PowerShell Script: Audit for Domain Credential Usage
# Define the domain username to search for
$targetUser = "Test.Admin"
Write-Host "π Searching for domain credential usage for: $targetUser" -ForegroundColor Cyan
# 1. SERVICES
Write-Host "`n[1] SERVICES RUNNING AS DOMAIN USERS:" -ForegroundColor Yellow
Get-WmiObject Win32_Service | Where-Object {
$_.StartName -match '\\' -and $_.StartName -match $targetUser
} | Select-Object Name, DisplayName, StartName, State | Format-Table -AutoSize
# 2. SCHEDULED TASKS
Write-Host "`n[2] SCHEDULED TASKS USING DOMAIN ACCOUNTS:" -ForegroundColor Yellow
$tasks = Get-ScheduledTask | ForEach-Object {
try {
$info = $_ | Get-ScheduledTaskInfo
$principal = $_.Principal.UserId
if ($principal -match $targetUser) {
[PSCustomObject]@{
TaskName = $_.TaskName
TaskPath = $_.TaskPath
User = $principal
State = $info.State
}
}
} catch {}
}
$tasks | Format-Table -AutoSize
# 3. IIS APP POOLS (if IIS is installed)
Write-Host "`n[3] IIS APP POOLS WITH CUSTOM IDENTITIES:" -ForegroundColor Yellow
Import-Module WebAdministration -ErrorAction SilentlyContinue
$appPools = Get-ChildItem IIS:\AppPools -ErrorAction SilentlyContinue
foreach ($pool in $appPools) {
$identityType = (Get-Item "IIS:\AppPools\$($pool.Name)").processModel.identityType
if ($identityType -eq 3) { # 3 = SpecificUser
$userName = (Get-Item "IIS:\AppPools\$($pool.Name)").processModel.userName
if ($userName -match $targetUser) {
Write-Host "$($pool.Name): $userName" -ForegroundColor Green
}
}
}
# 4. MAPPED NETWORK DRIVES
Write-Host "`n[4] MAPPED NETWORK DRIVES:" -ForegroundColor Yellow
try {
Get-SmbMapping | Select-Object LocalPath, RemotePath, UserName | Format-Table -AutoSize
} catch {
Write-Host "Could not query SMB mappings. Are you running as admin?"
}
# 5. WINDOWS STORED CREDENTIALS (CMDKEY)
Write-Host "`n[5] WINDOWS STORED CREDENTIALS:" -ForegroundColor Yellow
cmdkey /list | ForEach-Object { $_ } | Select-String -Pattern "$targetUser" -Context 0,2
# 6. SQL SERVER SERVICES (Check service accounts)
Write-Host "`n[6] SQL SERVER SERVICES USING DOMAIN ACCOUNTS:" -ForegroundColor Yellow
Get-WmiObject Win32_Service | Where-Object {
$_.Name -match "MSSQL" -and $_.StartName -match $targetUser
} | Select-Object Name, StartName, State | Format-Table -AutoSize
π Notes:
- Replace
Test.Adminin the script if you’re auditing for a different account. - Must be run with elevated privileges (as Administrator).
- Some sections (like IIS) only work if the relevant role/feature is installed.
- It doesn’t change anything β only reports.
To update the new password for services, scheduled tasks, IIS app pools, etc., using PowerShell, you can use the script below to automate password updates where possible.
β Pre-Work
Make sure you have:
- The new password securely saved (ideally in a variable)
- Run PowerShell as Administrator
Letβs say:
$domainUser = "MYDOMAIN\test.admin"
$newPassword = "NewStrongPassword123!" | ConvertTo-SecureString -AsPlainText -Force
π PowerShell Script: Update Password Everywhere
# Set variables
$domainUser = "MYDOMAIN\ent.admin"
$newPassword = "NewStrongPassword123!" | ConvertTo-SecureString -AsPlainText -Force
$plainPassword = "NewStrongPassword123!" # Needed for Scheduled Tasks
# -----------------------
# 1. Update Windows Services
# -----------------------
Write-Host "`n[1] Updating Services..." -ForegroundColor Cyan
Get-WmiObject Win32_Service | Where-Object {
$_.StartName -eq $domainUser
} | ForEach-Object {
Write-Host " β Updating service: $($_.Name)" -ForegroundColor Yellow
sc.exe config $_.Name obj= $domainUser password= $plainPassword | Out-Null
}
# -----------------------
# 2. Update Scheduled Tasks
# -----------------------
Write-Host "`n[2] Updating Scheduled Tasks..." -ForegroundColor Cyan
$tasks = Get-ScheduledTask | Where-Object {
$_.Principal.UserId -eq $domainUser
}
foreach ($task in $tasks) {
try {
Write-Host " β Updating task: $($task.TaskName)" -ForegroundColor Yellow
$action = $task.Actions
$trigger = $task.Triggers
$settings = $task.Settings
Register-ScheduledTask -TaskName $task.TaskName `
-Action $action `
-Trigger $trigger `
-Settings $settings `
-User $domainUser `
-Password $plainPassword `
-Force | Out-Null
} catch {
Write-Host " β Failed to update task: $($task.TaskName)" -ForegroundColor Red
}
}
# -----------------------
# 3. Update IIS App Pools
# -----------------------
Write-Host "`n[3] Updating IIS App Pools..." -ForegroundColor Cyan
Import-Module WebAdministration -ErrorAction SilentlyContinue
$appPools = Get-ChildItem IIS:\AppPools | Where-Object {
(Get-Item "IIS:\AppPools\$($_.Name)").processModel.identityType -eq 3 -and
(Get-Item "IIS:\AppPools\$($_.Name)").processModel.userName -eq $domainUser
}
foreach ($pool in $appPools) {
Write-Host " β Updating App Pool: $($pool.Name)" -ForegroundColor Yellow
Set-ItemProperty "IIS:\AppPools\$($pool.Name)" -Name processModel -Value @{userName=$domainUser; password=$plainPassword; identityType=3}
}
# -----------------------
# 4. Credential Manager (Optional Clear + Add)
# -----------------------
Write-Host "`n[4] Updating Credential Manager..." -ForegroundColor Cyan
$target = "Domain:$domainUser"
cmdkey /delete:$target | Out-Null
cmdkey /add:$target /user:$domainUser /pass:$plainPassword | Out-Null
Write-Host " β Credential added: $target" -ForegroundColor Green
β
Result
This script:
Updates Windows services that use the domain account
Updates Scheduled Tasks using that account
Updates IIS App Pools using custom identities
Optionally updates Credential Manager
β οΈ Notes:
This does not change the password in Active Directory β it only updates it where it's stored on the local server.
Always test in a non-production environment first if possible.