Share via

List all SPNs but filter out certain types of Service Classes

Dane Briggs 281 Reputation points
2024-08-09T16:48:05.2433333+00:00

I am currently using this script to get all AD objects with SPNs. 

Get-ADObject -Filter 'servicePrincipalName -like "*"' -properties *|
    ForEach-Object{
        $_ | Select-Object      @{n='Object Name';e={$_.name}}, 
                                @{n="DN";e={$_.distinguishedName}},
                                objectCategory,
                                @{n="servicePrincipalNames";e={$_.servicePrincipalName -join ";"}}
    } | Export-Csv SPNs.csv -NoTypeInformation

However it is returning a bunch of noise. I want to filter out certain types of Service Classes like HOST, RestrictedKrbHost, and WSMAN to start. I'm struggling with the syntax that would remove these Service Classes from the output.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | PowerShell
0 comments
Accepted answer
  1. Rich Matheisen 47,901 Reputation points
    2024-08-10T03:15:53.2033333+00:00

    By "Service Classes", do you mean the first part of the service principal name?

    kadmin/changepw, ldap/SRV02, Microsoft Virtual Console Service/SRV02, etc.?

    Is your question really "how do I get a list of all AD objects that have a service principal name in a list of SPNs that we've created (i.e., specific to our AD)?" Or maybe "How do I get a list of all SPN names specific to our AD?"

    Here's a crude way of getting a list of unique SPN classes. Run it one with an empty list to get a list of all SPN classes found in the current domain. Select the ones you don't want to see and add them to the list. Then rerun it to verify that the list contains what you want.

    # any name in this list won't be included in the output
$NotThese = "TERMSRV", "Hyper-V Replica Service", "Microsoft Virtual System Migration Service"

# get a list of ALL SPN names used
$x = Get-ADObject -Filter * -properties serviceprincipalname |
        Select-Object -Expand serviceprincipalname |
            ForEach-Object{$_} 

# eliminate unwanted SPNs and duplicates
$WantedSpnNames = @{}
foreach ($spn in $x){
    ($sn,$rest) = $spn -split('/',2)
        if ($sn -notin $NotThese){
            $WantedSpnNames[$sn] = $true
        }
}
$y = $WantedSpnNames.Keys | Sort-Object     # add any names you DON'T want in your report to the $NotThese array!


### use this to get the information for the service you DO want
# List populated from limited AD used only for testing
# Your list of unwanted names will vary
$NotThese = "WSMAN", "kadmin", "GC", "Microsoft Virtual Console Service","HOST", "RPC", "RestrictedKrbHost", "DNS", "ldap", "TERMSRV", "Hyper-V Replica Service", "Microsoft Virtual System Migration Service"
get-adobject -filter * -Properties serviceprincipalname, objectcategory |
    ForEach-Object{
        $servicenames = @()
        foreach ($s in $_.serviceprincipalname){
            ($sn,$rest) = $s -split("/",2)
            if ($sn -notin $NotThese){
                $servicenames += $s
            }
        }
        if ($servicenames.count -gt 0){
            $_ | Select-Object  @{n='Object Name';e={$_.name}}, 
                                @{n="DN";e={$_.distinguishedName}},
                                @{n="objectCategory";e={$_.objectCategory -replace '^CN=(.+?)(?<!\\),.*','$1'}},
                                @{n="servicePrincipalNames";e={$servicenames -join ";"}}
        }
    } | export-csv c:\junk\SPNs.csv -NoTypeInformation

    Keep in mind that the serviceprincipalname property is a multi-valued object. Each element must be examined.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.