Finding the impact of disabling a SVC account

  • Last Post 24 June 2019
Mahdi posted this 24 June 2019

Hello mates,


In one of the client, I have to deal with one of the big things. There are some SVC accounts in administrator group of the domain. The thing is that I need to remove them from the group and instead assign appropriate delegation. The problem is not so many ppl know what will break if we remove them. And we can't just remove the SVC from the group and wait to see who will call. Do you have faced a similair task like this?


What do you propose if you were on this task? I was thinking about checking the logs on DCs but the problem is,  the environment is huge containing 100+ DCs and logs are regularly over written. Any tips in total?

kurtbuff posted this 24 June 2019

Centralize your logs, and keep them for longer than 7 days so that you
can actually use them.

Try either or both:

1) Weffles:


2) Choose one from any number of syslog clients that understand
Windows logs and install it on each of your DCs, and a good central
syslog server. The best/most flexible of these clients understand more
than just the event log, and will pull events from all sorts of logs.