Manage Active Directory user SPNs with PowerShell

Service principal names (SPNs) are attached to user and computer Active Directory (AD) objects; you can add, remove, or modify them at will. One way to manage SPNs is to use the ActiveDirectory PowerShell module. This module contains the Get-Ad* and Set-Ad* cmdlets capable of reading and writing SPNs on user and computer objects.

AD SPNs are unique identifiers for various services in AD. Applications rely on SPNs all the time to authenticate users and resources. Even though SPNs are used a lot, there's not an easy way to manage them with native GUI tools. Fortunately, we have PowerShell to fill the gap not only to manage but also to provide the opportunity to automate SPN management.

Perhaps I want to create a new SPN on a user object with a SamAccountName of katmil. I can look at this user account and confirm there is no SPN associated with it by using Get-AdUser.

No user SPNs created

No user SPNs created

As you can see above, the ServicePrincipalNames property of the user object stores the SPNs.

I can add a SPN by using the Set-AdUser cmdlet with the ServicePrincipalNames parameter. This parameter requires a hash table with the key name indicating what kind of action you'd like to perform on the SPN (Add/Remove/Replace) with a value for the SPN.

Below you can see that the katmil user account looks to be a user account used to authenticate a web server.

I can run Get-AdUser, and this time, you'll see the SPN show up in the ServicePrincipalNames property.

Perhaps I need to add multiple SPNs to this user account. To do this, I need to change up the HTTP/webserver string provided as the hash table value and turn that into a comma-separated string.

I've changed my mind; now I'd like to replace these SPNs with new values. To replace SPNs, I can use the Replace hash table key passed to the ServicePrincipalNames parameter. Below, I'm replacing the SPN HTTP/webserver with HTTP/newwebserver. Notice that we can't explicitly specify the old SPN. Using the Replace key simply replaces whatever SPN is already there vs. Add, which adds a new one.

I've changed my mind again; now I just want to remove this SPN. Luckily, I have the Remove key to make this happen.

Finally, if I'd rather remove all SPNs completely, I can pass a $null value to the ServicePrincipalNames parameter to remove all SPNs regardless of name.

Even though using Get-AdUser and Set-AdUser to manage SPNs is a straightforward process, we can make this even easier and more structured using a community module called ActiveDirectorySPN. You can find this module in GitHub. Download it and move it into a folder where PowerShell can see it, such as C:\Files.

After downloading it, run Get-Module -Name ActiveDirectorySPN -List to ensure it shows up. If so, you're ready to use it.

The commands in this module are custom built to manage SPNs. When using the ActiveDirectorySPN module, you don't have to worry about creating hash tables to add, remove, or replace SPNs. Instead, you can use familiar commands like New-AdUserSPN and Remove-AdUserSPN.

Now that our katmil user doesn't have any SPNs, let's create one again. To do this, I run this:

I can now run Get-AdUserSpn to query the SPN, which will return a PowerShell object.

User SPNs returned as object

If I want to remove the SPN, I can use the familiar PowerShell pipeline to pipe this SPN to Remove-UserSPN, which will remove it.

The ActiveDirectorySPN module abstracts away as much as possible and allows you to work with SPNs just as you would with user and computer objects in AD.

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

1 Comment
  1. Mudasir Ulla Khan 1 year ago

    Helpful information 


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2020


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account