Service accounts usage report on where and how it is being used

Products Privilege Secure Discussions & Questions
,
1

Looking for a report on how and where the service accounts are being used within our environment. currently we have to click on each service account and then look for the details on which server it is used and then within that server which service is using the account, manually reviewing this takes lot of effort. Instead if we get an option to pull a report would be helpful.

Text

2

Hi Manju,

We currently don’t have a report for this in the application.

However, I was able to quickly put together a script that uses the NPS API and PowerShell module to fetch this information for each credential where service accounts dependencies are greater than zero.

Do you have interest in this script?

As for having this report in the application itself, can you please submit that request in our ideas portal?

Privilege Secure Ideas - Netwrix Community

- Dan

1 Like
3

@dpiazza Yes, would like to test it in our environment and thank you for your quick response

1 Like
4

Here’s a proof of concept that exports a CSV containing all the service account dependencies NPS known about. It gets all the credentials in NPS, checks which have a dependency count greater than zero, and then gets a list of the service account dependencies for each of those credentials.

This needs to be run as an NPS admin user, however it can be modified to use an application user, which uses a cert for auth, if preferred.

The CSV it exports will be in the same folder the script is run from. Please also note it relies on our PowerShell module, so you need to install SbPAMPowershellModules.msi from the Extras folder first.

param(
    [Parameter(Mandatory)]
    [string]$npsUri,
    [Parameter(Mandatory)]
    [PSCredential]$userCred,
    [Parameter(Mandatory)]
    [string]$userCode
)

# -------------------------
# Pre-flight check
# -------------------------
if (-not (Get-Module -ListAvailable -Name SbPAMAPI)) {
    throw "Required module 'SbPAMAPI' not found. Install SbPAMPowershellModules.msi before running this script."
}

Import-Module SbPAMAPI -Force

# -------------------------
# Helper: Progress display
# -------------------------
function Show-Progress {
    param(
        [int]$Id = 1,
        [string]$Activity,
        [string]$Status,
        [int]$PercentComplete = -1
    )

    if ($PercentComplete -ge 0) {
        Write-Progress -Id $Id -Activity $Activity -Status $Status -PercentComplete $PercentComplete
    } else {
        Write-Progress -Id $Id -Activity $Activity -Status $Status
    }
}

# -------------------------
# Helper: Token renewal
# -------------------------
function Get-RenewToken {
    param(
        [Parameter(Mandatory)]
        [string]$token,
        [Parameter(Mandatory)]
        [string]$npsUri
    )

    $tokenObj   = Convert-SbPAMToken $token
    $expiration = Get-Date -UnixTimeSeconds $tokenObj.exp

    if ($expiration -lt (Get-Date).AddMinutes(7)) {
        Write-Host "$(Get-Date) Refreshing token"
        $token = Invoke-SbPAMRest `
            -Uri "$($npsUri)/api/v1/UserToken" `
            -Token $token `
            -SkipCertificateCheck `
            -ErrorAction Stop
    }

    return $token
}

# -------------------------
# Helper: Normalize objects to EXACT column list + order
# (Exports ONLY these columns; ignores all others)
# -------------------------
function Normalize-ObjectsForCsv {
    param(
        [Parameter(Mandatory)]
        [object[]]$InputObjects,

        [Parameter(Mandatory)]
        [string[]]$ColumnOrder
    )

    foreach ($obj in $InputObjects) {
        $row = [ordered]@{}
        foreach ($col in $ColumnOrder) {
            $row[$col] = $obj.PSObject.Properties[$col].Value
        }
        [pscustomobject]$row
    }
}

# -------------------------
# CSV Column Order (authoritative)
# -------------------------
$CsvColumnOrder = @(
    'id',
    'credentialId',
    'hostId',
    'hostUserId',
    'managedResourceId',
    'resourceName',
    'samAccountName',
    'dnsHostName',
    'type',
    'name',
    'lastPasswordChangeDateTimeUtc',
    'nextPasswordChangeDateTimeUtc',
    'lastPasswordChangeStatus',
    'currentPasswordChangeStatus',
    'lastHostScanDateTimeUtc',
    'nextHostScanDateTimeUtc',
    'lastHostScanStatus'
)

# -------------------------
# Initialization
# -------------------------
$allCreds   = [System.Collections.Generic.List[object]]::new()
$allTasks   = [System.Collections.Generic.List[object]]::new()
$webSession = New-Object Microsoft.PowerShell.Commands.WebRequestSession

$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$csvPath   = Join-Path $PSScriptRoot "credential_scheduled_tasks_$timestamp.csv"

# -------------------------
# Authentication
# -------------------------
$global:token = Get-SbPAMToken `
    -Credential $userCred `
    -Uri $npsUri `
    -WebSession $webSession `
    -SkipCertificateCheck `
    -ErrorAction Stop

$global:token = Get-SbPAMMfaToken `
    -Uri $npsUri `
    -Token $global:token `
    -Code $userCode `
    -WebSession $webSession `
    -SkipCertificateCheck `
    -ErrorAction Stop

# -------------------------
# Phase 1: Fetch credentials (paged)
# -------------------------
$take = 10
$skip = 0
$page = 0

do {
    $global:token = Get-RenewToken -token $global:token -npsUri $npsUri
    $page++

    Show-Progress -Id 1 -Activity "Fetching credentials" -Status "Page $page"

    $searchUri = "$($npsUri)/api/v1/Credential/Search?skip=$skip&take=$take&includeDeleted=false"

    $result = Invoke-SbPAMRest `
        -Uri $searchUri `
        -Token $global:token `
        -SkipCertificateCheck `
        -ErrorAction Stop

    if ($result.data) {
        $allCreds.AddRange($result.data)
    }

    $count = $result.data.Count
    $skip += $take

} while ($count -eq $take)

Write-Progress -Id 1 -Completed

# -------------------------
# Phase 2: Collect HostScheduledTasks ONLY when dependencyCount > 0
# (No /Credential/Details call)
# -------------------------
$i     = 0
$total = $allCreds.Count

foreach ($cred in $allCreds) {
    $i++
    $pct = if ($total -gt 0) { [math]::Round(($i / $total) * 100) } else { 100 }

    # If the property name differs in your payload, change this line only.
    $depCount = [int]($cred.dependencyCount)

    Show-Progress `
        -Id 2 `
        -Activity "Collecting Host Scheduled Tasks" `
        -Status "Credential $i of $total (deps=$depCount)" `
        -PercentComplete $pct

    if ($depCount -le 0) { continue }

    $global:token = Get-RenewToken -token $global:token -npsUri $npsUri

    $tasks = Invoke-SbPAMRest `
        -Uri "$($npsUri)/api/v1/Credential/HostScheduledTasks?hostUserId=$($cred.id)" `
        -Token $global:token `
        -SkipCertificateCheck `
        -ErrorAction Stop

    if ($tasks.data) {
        $allTasks.AddRange($tasks.data)  # keep raw task objects
    }
}

Write-Progress -Id 2 -Completed

# -------------------------
# Export CSV (ONLY the specified columns, in the specified order)
# -------------------------
$normalized = Normalize-ObjectsForCsv `
    -InputObjects $allTasks.ToArray() `
    -ColumnOrder  $CsvColumnOrder

$normalized |
    Export-Csv `
        -Path $csvPath `
        -NoTypeInformation `
        -Encoding UTF8

Write-Host "CSV written to $csvPath"
1 Like