none
How to grant "Write ServicePrincipalName” and “Write validated SPN” rights to the directory for service account

    Question

  • Hi ,

    How can I grant "Write ServicePrincipalName” and “Write validated SPN” rights to the directory for service account or computers?

    Shailendra


    Shailendra Dev

    Tuesday, April 1, 2014 8:40 AM

Answers

  • Computers can already write thier own SPNs, you can use the following DSACLs snippet to grant a service account the right to write it's own SPNs.

    dsacls <DomainName_of_Service_Account> /G SELF:RPWP;"servicePrincipalName" 


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Tuesday, April 1, 2014 9:09 AM
  • Right-Click on the OU and select Properties
    Select the "Security" tab
    Select the "Advanced" tab
     Select the "Add" button
     Enter the security principal name
     security principal
      Ok
     Properties tab
     Apply to:
     Descendant User objects
     Permissions:
     Read servicePrincipalName - Allow
     Write servicePrincipalName - Allow
      Ok
     Ok
    Ok


    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security, BS CSci
    2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
    Please no e-mails, any questions should be posted in the NewsGroup.
    This posting is provided AS IS with no warranties, and confers no rights.

    Tuesday, April 1, 2014 11:59 AM
    Moderator

All replies

  • Computers can already write thier own SPNs, you can use the following DSACLs snippet to grant a service account the right to write it's own SPNs.

    dsacls <DomainName_of_Service_Account> /G SELF:RPWP;"servicePrincipalName" 


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Tuesday, April 1, 2014 9:09 AM
  • Right-Click on the OU and select Properties
    Select the "Security" tab
    Select the "Advanced" tab
     Select the "Add" button
     Enter the security principal name
     security principal
      Ok
     Properties tab
     Apply to:
     Descendant User objects
     Permissions:
     Read servicePrincipalName - Allow
     Write servicePrincipalName - Allow
      Ok
     Ok
    Ok


    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security, BS CSci
    2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
    Please no e-mails, any questions should be posted in the NewsGroup.
    This posting is provided AS IS with no warranties, and confers no rights.

    Tuesday, April 1, 2014 11:59 AM
    Moderator
  • Dear

    I'm applying exactly what you describes in the above solution. I'm working on an Windows 2012 R2 with an AD and Forest Mode in Windows 2012. I'm logged on as Enterprise Admin. However, none of both, read or write serviceprincipalname are listed on the attribute sets?

    I tried to add the SELF account, add the rights to a domain local group. I tried on the OU level and on the service account itself.

    Thanks for the feedback.
    Regards
    Peter


    Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

    Monday, October 10, 2016 1:02 PM
  • Peter,

    In my experience, you need to set:

     Apply to: Descendant Computer objects

    Wednesday, October 19, 2016 1:04 PM
  • a little necroposing.

    May be it would be useful for somebody. Read/write serviceprincipalnape are shown only for computers account using dsa.msc console. To set these acls for user account you need to use adsiedit.msc .

    Friday, January 19, 2018 12:43 PM
  • Dear

    I'm applying exactly what you describes in the above solution. I'm working on an Windows 2012 R2 with an AD and Forest Mode in Windows 2012. I'm logged on as Enterprise Admin. However, none of both, read or write serviceprincipalname are listed on the attribute sets?

    I tried to add the SELF account, add the rights to a domain local group. I tried on the OU level and on the service account itself.

    Thanks for the feedback.
    Regards
    Peter


    Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

    Use ADSIEdit.msc, you will find ServicePrincipalName for all descendant user
    Friday, February 23, 2018 5:46 PM