6

In Powershell, how do you set the Read/Write Service Principal Name AD user permissions?

Normally during my build process, I use ADSIedit to navigate to that object, and then go through all the security tabs to get down to put a checkmark next to:

  • Read Service Principal Name
  • Write Service Principal Name

But navigating through ADSIedit can take a long time so I'm trying to script the process. If I have a PowerShell LDAP bind with a new user created, how can I use PowerShell to set both of these properties for this user account?

The following is a hacked out code-snippet of the possible pertinent portions of my install script:

$strDomain = "dc=my,dc=com"
$objDomain = [ADSI] "LDAP://" + strDomain 
$strSCCMSQLPW = Read-Host -assecurestring "Please enter a password for the " + $strSCCMSQL + " account: "
New-ADUser -SamAccountName $strSCCMSQL + -Name $strSCCMSQL -AccountPassword $strSCCMSQLPW -Enabled $true -Path $strUsersOU + "," + $strDomain -PasswordNeverExpires $true
Harvey Kwok
  • 11,713
  • 6
  • 37
  • 59
thepip3r
  • 2,855
  • 6
  • 32
  • 38

3 Answers3

8

You need to add an ActiveDirectoryAccessRule object to the ACL of the target object. For setting property specific rigths the trick is to pass in the schemaIDGUID to the attribute. So first we need to find the schemaIDGUID from the Service-Principal-Name schema entry. In the sample code i statically refer to the Service-Principal-Name, better yet would have been to search for the ldapDisplayname to find the entry but I'm sure you can sort that out. In any case this code should do the job:

Function Set-SpnPermission {
    param(
        [adsi]$TargetObject,
        [Security.Principal.IdentityReference]$Identity,
        [switch]$Write,
        [switch]$Read
    )
    if(!$write -and !$read){
        throw "Missing either -read or -write"
    }
    $rootDSE = [adsi]"LDAP://RootDSE"
    $schemaDN = $rootDSE.psbase.properties["schemaNamingContext"][0]
    $spnDN = "LDAP://CN=Service-Principal-Name,$schemaDN"
    $spnEntry = [adsi]$spnDN
    $guidArg=@("")
    $guidArg[0]=$spnEntry.psbase.Properties["schemaIDGUID"][0]
    $spnSecGuid = new-object GUID $guidArg

    if($read ){$adRight=[DirectoryServices.ActiveDirectoryRights]"ReadProperty" }
    if($write){$adRight=[DirectoryServices.ActiveDirectoryRights]"WriteProperty"}
    if($write -and $read){$adRight=[DirectoryServices.ActiveDirectoryRights]"readproperty,writeproperty"}
    $accessRuleArgs = $identity,$adRight,"Allow",$spnSecGuid,"None"
    $spnAce = new-object DirectoryServices.ActiveDirectoryAccessRule $accessRuleArgs
    $TargetObject.psbase.ObjectSecurity.AddAccessRule($spnAce)
    $TargetObject.psbase.CommitChanges()    
    return $spnAce
}

Sample lines for calling the function...

$TargetObject = "LDAP://CN=User,OU=My User Org,DC=domain,DC=net"
$Identity = [security.principal.ntaccount]"domain\user"

Set-SpnPermission -TargetObject $TargetObject -Identity $Identity -write -read
CosmosKey
  • 1,287
  • 11
  • 13
  • Thanx for the post Cosmos. I'm going to verify it works and then Mark. I appreciate the late pickup! lol. – thepip3r Jun 10 '11 at 11:20
1

Here is an example using Quest to set the permissions on the service principal name attributes.

First, add Quest:

Add-PSSnapin Quest.ActiveRoles.ADManagement;

Set the permission (using Add-QADPermission):

Get-QADUser UserName | Add-QADPermission -Account 'SELF' -Rights 'ReadProperty,WriteProperty' -Property 'servicePrincipalName' -ApplyTo 'ThisObjectOnly';
Kevin Verhoeven
  • 11
  • 1
0

You can use Quest AD cmdlets. It makes AD permission stuff very easy in PowerShell.

Read this blog for some examples on how to add AD permissions or even copy the AD permissions.

Just lookup Add-QADPermission and it should do your job.

Harvey Kwok
  • 11,713
  • 6
  • 37
  • 59