AIM

ConfigMgr DCM/Compliance – Check if SQL is running as a service account

This is the fifth and final post in the series of ConfigMgr Configuration Items. This one is used to check if SQL is using a service account.

This is another SQL-related configuration item. The CI checks if SQL is running as “NT Service\*”, “LocalSystem” or “NT Authority\*”.

If the SQL server is running as any of the above accounts it will flag the server as non compliant.
Use the following powershell script and configure the compliance rule to “The value returned by the script equals Compliant!”

—Script begins below this—
# // *****************
# // **** Header *****
# //
# // Solution: Check if service is using a serviceAccount
# // URL: https://www.addlevel.se
# //
# // Filename: CheckSQLServiceAccounts.ps1
# // Version: 1.0.00.001
# //
# // Purpose: –
# //
# // Usage: For ConfigMgr Compliance Usage
# //
# //
# // History:
# // Jonas Lagerström 2012-09-27 Created initial script.
# //
# //
# // Disclamer:
# // This script is provided “AS IS” with no warranties,
# // confers no rights and
# // is not supported by the authors.
# //
# // ***** End Header *****
# // *********************

$objServices = get-wmiobject win32_service -filter “(Name like ‘MSSQL%’) AND (Startname Like ‘NT Service\\%’ or StartName like ‘LocalSystem%’ or StartName like ‘Nt Authority\\%’)” | select name,startname
if ($objServices.name.Length -gt 0)
{
foreach ($objService in $objServices)

{
write-host “Service name:” $objService.name “Service Account:” $objService.startname
}
}
else {write-host “Compliant!”}

—Script ends above this—

Usual warnings apply, please test all scripts before running them in a production environment!

Best regards,

Jonas Lagerström

Posted in Blog, Configuration Manager.