In troubleshooting Kerberos issues it is sometimes helpful to see the all the SPNs and delegate to settings for my various SharePoint accounts. Since our SharePoint accounts are named in a consistent way this ended up being quite easy. I set a filter that looks for accounts that start with the name PRD-SP and looked in the proper container in the Active Directory. I piped the output to a file and I had a useful listing of all the SPNs and their delegate to settings.
$strFilter = "(&(objectCategory=User)(sAMAccountName=PRD-SP*))"
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = "LDAP://OU=SharePoint,OU=Special Accounts,DC=domain,DC=com"
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"$colProplist = "sAMAccountName","name","msDS-AllowedToDelegateTo","servicePrincipalName"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults) {
#$objResult.Properties
$objResult.Properties["name"]
$objResult.Properties["samaccountname"]
"================================================"
"msDS-AllowedToDelegateTo"
"------------------------------------------------"
$objResult.Properties["msds-allowedtodelegateto"]
"------------------------------------------------"
"servicePrincipalName"
"------------------------------------------------"
$objResult.Properties["serviceprincipalname"]
""
""
}
No comments:
Post a Comment