Built and Maintained in France by SERVTEP | Lead Architect: Pchelnikau Artur
AD Service Account Manager is an enterprise-grade PowerShell framework that codifies identity lifecycle management and eliminates identity debt within Active Directory. It transitions organizations away from fragmented, manual service account management into a structured, audited, and automated governance model β dramatically reducing the risk of credential-based compromise.
Supports Standard, Managed Service Accounts (MSA), and Group Managed Service Accounts (gMSA) β with native hybrid coverage via Microsoft Graph / Entra ID.
- Strategic Overview
- Prerequisites
- Quick Start
- CLI Reference
- Modules
- Security Engine
- Audit & Compliance
| Operational Objective | Functional Component | Mitigated Risk |
|---|---|---|
| Lifecycle Management | Provisioning (Wizard, Clone, Bulk CSV) | Unauthorized Account Creation & Identity Debt |
| Security Hardening | Proactive Attack Surface Scanning | Credential Theft (Kerberoasting, AS-REP) |
| Dependency Mapping | WMI/WS-Man Discovery (Service, Task, IIS) | Service Downtime during Rotation/Decommissioning |
| Privilege Governance | Shadow Admin & AdminSDHolder Auditing | Persistent Backdoors & Domain Escalation |
| Integrity Auditing | SHA-256 Hashed Logs & SIEM Export | Compliance Failures & Log Tampering |
| Module | Status | Purpose |
|---|---|---|
PowerShell 5.1+ |
β Required | Core runtime |
RSAT ActiveDirectory |
β Required | AD operations & LDAP filtering |
Microsoft.Graph |
βͺ Optional | Entra ID / hybrid cloud coverage |
WebAdministration |
βͺ Optional | IIS App Pool dependency scanning |
GroupPolicy |
βͺ Optional | GPO impact analysis & gpresult |
Microsoft Graph Scopes:
Application.Read.AllΒ·Directory.Read.AllΒ·AppRoleAssignment.Read.All
| Role | Access Level |
|---|---|
ReadOnly |
Scans, inventory, and health auditing |
DelegatedAdmin / AccountOperator |
Write operations (Create, Modify, Delete) on specific OUs |
DomainAdmin |
Forest-wide security sweeps & AdminSDHolder auditing |
Local Administrator |
Dependency mapping via WMI/CIM and Task Scheduler on target servers |
β οΈ SMTP Security Notice: SMTP credentials are encrypted with Windows DPAPI, bound strictly to the user account and machine where the configuration was performed. If running as a Scheduled Task, the task identity must match the identity used during SMTP setup.
# Launch the full interactive management console
.\AD-Service-Account-Manager.ps1
# Execute a non-interactive security scan and email findings
.\AD-Service-Account-Manager.ps1 -Mode SecurityScan -SmtpAlert
# Run a forest-wide inventory in safe simulation mode
.\AD-Service-Account-Manager.ps1 -Mode Inventory -Forest -DryRun
# Register a weekly drift-detection scheduled task (Monday at 02:00)
.\AD-Service-Account-Manager.ps1 -Mode DriftCheck -SmtpAlert| Parameter | Values / Usage | Outcome |
|---|---|---|
-Mode |
Audit |
Exports HTML reports and SIEM-ready JSON logs |
SecurityScan |
Executes high-priority sweeps (Kerberoasting, AS-REP, etc.) | |
Inventory |
Full domain discovery with data export | |
DriftCheck |
Detects unauthorized mutations vs. baseline | |
HealthCheck |
Audits stale status, lockouts, and account health | |
-Domain |
FQDN (e.g., corp.local) |
Targets a specific domain; defaults to local |
-Forest |
Switch | Scans all domains in the forest topology |
-DryRun |
Switch | Simulates write logic with [WHATIF]; zero AD changes |
-ReadOnly |
Switch | Hard-locks session; blocks all modification options |
-SmtpAlert |
Switch | Dispatches email report after non-interactive run |
π‘ Safety Flags:
-DryRunprocesses write-logic paths while prefixing actions with[WHATIF].-ReadOnlyis a session-level guardrail that completely blocks creation and modification commands from the console UI.
- Single Account Wizard β Guided creation for Standard, MSA, and gMSA accounts with KDS Root Key verification
- Account Cloning β Replicates Description, OU placement, and group memberships for functional parity
- Bulk CSV Import β Mass provisioning with enforced
sAMAccountNamemax length (20 chars), automatic illegal character sanitization, and batch Rollback support
Before any modification or deletion, the tool queries remote hosts to prevent service outages:
| Protocol | Target | Ports |
|---|---|---|
| WMI / CIM | Windows Services | 135 |
| WS-Man / PSRemoting | Scheduled Tasks, IIS App Pools | 5985 / 5986 |
Flags non-standard SPNs on computer objects and audits unconstrained delegation on non-DC machines β closing a common visibility gap in hybrid environments.
The security module is a proactive defense engine designed to uncover legacy vulnerabilities and sophisticated persistence mechanisms.
| Threat Vector | Detection Logic | Risk Level |
|---|---|---|
| Kerberoasting | Accounts with SPNs using RC4 encryption or adminCount=1 |
π΄ Critical |
| AS-REP Roasting | Accounts with Kerberos pre-auth disabled | π΄ Critical |
| Unconstrained Delegation | Accounts capable of stealing TGTs from any authenticating user | π΄ Critical |
| SID History | Legacy SIDs from previous domains granting hidden elevated privileges | π High |
Detects accounts with adminCount=1 no longer in privileged groups, and performs AdminSDHolder ACE comparisons to uncover red-team backdoors that survive the hourly SDProp reset.
- Credential Guard Compatibility β Identifies accounts relying on NTLM or Unconstrained Delegation (blocked by VBS)
- Protected Users Impact β Flags service accounts at risk from the group's 4-hour TGT lifetime or AES-only enforcement
Compliant with CIS, NIST SP 800-53, and ISO 27001 frameworks.
Every write operation recomputes a SHA-256 hash of the CSV audit log, stored alongside the log as a .sha256 file. Any unauthorized modification to the audit trail is detected on the next review cycle.
Establish a Baseline Snapshot (stored as JSON in %APPDATA%\ADSvcAcctMgr) and run subsequent scans to detect unauthorized account creations, OU moves, or changes to security flags.
| Format | Target |
|---|---|
| HTML | Rich dark-mode reports with dynamic compliance cross-references (CIS L1, NIST AC-2) |
| JSON | Native SIEM ingestion |
| CEF | Splunk / QRadar |
| Syslog | Centralized log aggregation |
AD Service Account Manager v1.0.0 Β· Built for enterprise identity security
