Powershell: How do you set the Read/Write Service Principal Name AD Permissions?

11,696

Solution 1

You need to add an ActiveDirectoryAccessRule object to the ACL of the target object. For setting property specific rigths the trick is to pass in the schemaIDGUID to the attribute. So first we need to find the schemaIDGUID from the Service-Principal-Name schema entry. In the sample code i statically refer to the Service-Principal-Name, better yet would have been to search for the ldapDisplayname to find the entry but I'm sure you can sort that out. In any case this code should do the job:

Function Set-SpnPermission {
    param(
        [adsi]$TargetObject,
        [Security.Principal.IdentityReference]$Identity,
        [switch]$Write,
        [switch]$Read
    )
    if(!$write -and !$read){
        throw "Missing either -read or -write"
    }
    $rootDSE = [adsi]"LDAP://RootDSE"
    $schemaDN = $rootDSE.psbase.properties["schemaNamingContext"][0]
    $spnDN = "LDAP://CN=Service-Principal-Name,$schemaDN"
    $spnEntry = [adsi]$spnDN
    $guidArg=@("")
    $guidArg[0]=$spnEntry.psbase.Properties["schemaIDGUID"][0]
    $spnSecGuid = new-object GUID $guidArg

    if($read ){$adRight=[DirectoryServices.ActiveDirectoryRights]"ReadProperty" }
    if($write){$adRight=[DirectoryServices.ActiveDirectoryRights]"WriteProperty"}
    if($write -and $read){$adRight=[DirectoryServices.ActiveDirectoryRights]"readproperty,writeproperty"}
    $accessRuleArgs = $identity,$adRight,"Allow",$spnSecGuid,"None"
    $spnAce = new-object DirectoryServices.ActiveDirectoryAccessRule $accessRuleArgs
    $TargetObject.psbase.ObjectSecurity.AddAccessRule($spnAce)
    $TargetObject.psbase.CommitChanges()    
    return $spnAce
}

Sample lines for calling the function...

$TargetObject = "LDAP://CN=User,OU=My User Org,DC=domain,DC=net"
$Identity = [security.principal.ntaccount]"domain\user"

Set-SpnPermission -TargetObject $TargetObject -Identity $Identity -write -read

Solution 2

Here is an example using Quest to set the permissions on the service principal name attributes.

First, add Quest:

Add-PSSnapin Quest.ActiveRoles.ADManagement;

Set the permission (using Add-QADPermission):

Get-QADUser UserName | Add-QADPermission -Account 'SELF' -Rights 'ReadProperty,WriteProperty' -Property 'servicePrincipalName' -ApplyTo 'ThisObjectOnly';

11,696

Author by

thepip3r

Updated on June 20, 2022

Comments

thepip3r almost 2 years
In Powershell, how do you set the Read/Write Service Principal Name AD user permissions?

Normally during my build process, I use ADSIedit to navigate to that object, and then go through all the security tabs to get down to put a checkmark next to:
- Read Service Principal Name
- Write Service Principal Name
But navigating through ADSIedit can take a long time so I'm trying to script the process. If I have a PowerShell LDAP bind with a new user created, how can I use PowerShell to set both of these properties for this user account?

The following is a hacked out code-snippet of the possible pertinent portions of my install script:
```
$strDomain = "dc=my,dc=com"
$objDomain = [ADSI] "LDAP://" + strDomain 
$strSCCMSQLPW = Read-Host -assecurestring "Please enter a password for the " + $strSCCMSQL + " account: "
New-ADUser -SamAccountName $strSCCMSQL + -Name $strSCCMSQL -AccountPassword $strSCCMSQLPW -Enabled $true -Path $strUsersOU + "," + $strDomain -PasswordNeverExpires $true
```