Use SCCM Compliance Settings To Find Service Running As Administrator Account

Sometimes you have to change password for important user (like administrator account).
Changing password for this kind of user is a project in its own and should be done with extra careful.
With Compliance Settings feature in SCCM, its easy to find where this user runs a service.

In this example I'm going to use PowerShell script to detect the present of administrator account under the services, so first, I'm going to change the execution policy to Bypass in client settings for the computers this script is going to run:

 

Wait for computers to pull the new settings (Depend on the client policy polling interval), and create new configuration item:

 



 

 Select the operating system version to apply to:

 Create new settings, with script in script type and string in date type and add the following script:

$Compliance = 'Compliant'
$Check = Get-WmiObject -class win32_service |where-object startname -like "*administrator*"
If ($Check) {$Compliance = 'Non-Compliant'}
$Compliance

Under Compliance Rules tab add new rule with Compliant word in the values:

Next, create new Configuration Baselines and add the configuration item that was created earlier:

Deploy the configuration baseline to desired collection and change the evaluation schedule:

Run Machine Policy Retrieval & Evaluation Cycle and go to Configurations tab.
Run Refresh and Evaluate to evaluate the configuration item:

Create collection for compliance or non-compliance computers to get information about computers running services under the desired account:

Or, run compliance report:

Help for writing this post:
https://blogs.technet.microsoft.com/configmgr_geek_speak/2014/01/10/use-configuration-manager-2012-compliance-settings-to-check-for-the-existence-of-a-pki-certificate/