Monday, October 22, 2012

PowerShell to display SPN and Delegation Information for SharePoint Accounts

 

In troubleshooting Kerberos issues it is sometimes helpful to see the all the SPNs and delegate to settings for my various SharePoint accounts.  Since our SharePoint accounts are named in a consistent way this ended up being quite easy.  I set a filter that looks for accounts that start with the name PRD-SP and looked in the proper container in the Active Directory.  I piped the output to a file and I had a useful listing of all the SPNs and their delegate to settings.

$strFilter = "(&(objectCategory=User)(sAMAccountName=PRD-SP*))"

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = "LDAP://OU=SharePoint,OU=Special Accounts,DC=domain,DC=com"
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"

$colProplist = "sAMAccountName","name","msDS-AllowedToDelegateTo","servicePrincipalName"

foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults) {
    #$objResult.Properties
    $objResult.Properties["name"]
    $objResult.Properties["samaccountname"]
    "================================================"
    "msDS-AllowedToDelegateTo"
    "------------------------------------------------"
    $objResult.Properties["msds-allowedtodelegateto"]
    "------------------------------------------------"
    "servicePrincipalName"
    "------------------------------------------------"
    $objResult.Properties["serviceprincipalname"]
    ""
    ""
}

No comments:

Post a Comment