locked
What domain accounts have SPNs that point to a server RRS feed

  • Question

  • I have some domain service accounts that have SPNs tied to them.  For example, my SQLServiceAcct.myad.com has an SPN for MSSQLSvc/Server1.myad.com.  I can find this SPN if I know the service account name, but how can I find all the service accounts that have SPNs pointing to a particular server.  For example, I know server2.myad.com has some service accounts with SPNs that point to it.  How do I find them?

    Kevin

    Thursday, July 19, 2012 12:18 PM

Answers

  • http://kabheap.wordpress.com/2011/01/06/code-script-that-finds-all-of-the-spns-for-a-hostname-and-echoes-them-one-at-a-time-to-a-copyable-input-box/

    You may want to try and see if you can work this vbscript into something useful for your needs. You say you have hundreds of SPNs out there, however, this may not be a one-stop-shop answer for you without some expensive multi-technology enabled software. I would imagine SolarWinds to have something.. however... Lesson learned, the best and most effective way to manage this is probably to setup a spreadsheet or database to keep track of these service account relationships so theres no question later, or now for instance...

    Good luck further in your search, sounds like a little keyboard/script magic is all thats going to help you speed this process up.

    I image the usage would be along the lines of...

    wscript /nologo script.vbs server1

    or a for loop to script a text list of names

    for /f "tokens=1 delims=" %%g in ('type servers.txt') do (

    wscript /nologo script.vbs %%g > output.txt

    )

    Hope this helps.

    Best Regards,


    Steve Kline
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7
    Microsoft Certified Product Specialist & Network Product Specialist
    Red Hat Certified System Administrator
    Microsoft® Community Contributor Award 2011
    This posting is "as is" without warranties and confers no rights.

    Monday, July 23, 2012 7:51 PM

All replies

  • Have you tried with setspn command ? Run in command-line

    setspn -L <ServerName>

    and you will see all you need.


    Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com

    Thursday, July 19, 2012 1:02 PM
  • Hi,

    I Agree with iSiek, however I would like to share one informative link with you for reference. Please check it.

    Service Principal Names

    Hope this helps.

    Thursday, July 19, 2012 2:58 PM
  • Hi Kevin,

    Few more informative links:


    http://blogs.msdn.com/b/psssql/archive/2009/02/13/searching-for-duplicate-spn-s-got-a-little-easier.aspx

    http://blogs.msdn.com/b/saurabh_singh/archive/2009/01/09/new-features-in-setspn-exe-on-windows-server-2008.aspx


    Regards,
    Rafic

    If you found this post helpful, please give it a "Helpful" vote.
    If it answered your question, remember to mark it as an "Answer".
    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

    Thursday, July 19, 2012 3:29 PM
  • That command won't show what service account have SPNs that are tied to the server.  It will only show SPNs that the server account has.  Not the ones that service accounts have.

    Kevin

    Thursday, July 19, 2012 7:26 PM
  • Hello,

    If you need to get all SPNs in your domain, run this command (example domain = Contoso.com).

    Ldifde -d "DC=Contoso,DC=Com" -l ServicePrincipalName -F C:\SPN.txt

    Regards


    • Edited by Patris_70 Thursday, July 19, 2012 10:41 PM
    Thursday, July 19, 2012 10:41 PM
  • Hi,

    SETSPN -Q: query for existence of SPN (New feature in SETSPN.EXE on Windows Server 2008)

    So if you want to see all SPNs for a particular server in Windows Server 2008 or later, try this command:
    setspn -q */servername

    Regards,
    Cicely


    Friday, July 20, 2012 2:39 AM
  • This command returned no results.  I know that's inaccurate.  I have hundreds of SPNs out there.  Not sure why.

    Kevin

    Friday, July 20, 2012 5:14 PM
  • This command returns SPNs for TERMSRV and HOST but none for MSSQLSvc.  Not sure why.  I know they SPNs exist for MSSQLSvc because of this:

    I run this:

    setspn -L HUMAD\Server01_SqlSvc

    It returns these four SPNs:

    MSSQLSvc/Server01.MYAD.COM:1433
    MSSQLSvc/Server01.MYAD.COM
    MSSQLSvc/Server01:1433
    MSSQLSvc/Server01

    Need to know if service accounts other than Server01_SqlSvc have SPNs tied to Server01.  I do not know the accounts by name.


    Kevin

    Friday, July 20, 2012 5:20 PM
  • Hi,

    Please try this command:

    Ldifde -f spnaccount.txt -r serviceprincipalname=*/servername* -l serviceprincipalname,samaccountname

    Regards,
    Cicely

    Saturday, July 21, 2012 2:42 PM
  • I tried the command using the server which has the SPN I mentioned above.  It didn't return any SPNs.

    Connecting to "DC1.MYAD.com"
    Logging in as current user using SSPI
    Exporting directory to file spnaccount.txt
    Searching for entries...
    Writing out entries
    No Entries found


    Kevin

    Monday, July 23, 2012 7:10 PM
  • http://kabheap.wordpress.com/2011/01/06/code-script-that-finds-all-of-the-spns-for-a-hostname-and-echoes-them-one-at-a-time-to-a-copyable-input-box/

    You may want to try and see if you can work this vbscript into something useful for your needs. You say you have hundreds of SPNs out there, however, this may not be a one-stop-shop answer for you without some expensive multi-technology enabled software. I would imagine SolarWinds to have something.. however... Lesson learned, the best and most effective way to manage this is probably to setup a spreadsheet or database to keep track of these service account relationships so theres no question later, or now for instance...

    Good luck further in your search, sounds like a little keyboard/script magic is all thats going to help you speed this process up.

    I image the usage would be along the lines of...

    wscript /nologo script.vbs server1

    or a for loop to script a text list of names

    for /f "tokens=1 delims=" %%g in ('type servers.txt') do (

    wscript /nologo script.vbs %%g > output.txt

    )

    Hope this helps.

    Best Regards,


    Steve Kline
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7
    Microsoft Certified Product Specialist & Network Product Specialist
    Red Hat Certified System Administrator
    Microsoft® Community Contributor Award 2011
    This posting is "as is" without warranties and confers no rights.

    Monday, July 23, 2012 7:51 PM