Hello World,

Today, I have some free time and I want to post a Powershell script related to the SPN (Service PrinicpalName).

The Problem

As you probably know that in an Active Directory infrastructure, SPNs should be unique but time to time, you might have duplicates SPN in your environment. Because I’m working on automating a bunch of Active Directory tasks using powershell, I was about to write a powershell function that would check for Duplicate SPNs.  I’ve started my work and then found out that another guy would have created similar Powershell script (look here)

After some tests in real production environment, we noticed that the script was using a lot of CPU/memory resources.  So we decided to change the approach and to create a simpler script which will not consume acceptable computer resources. We simply decided to integrate the setspn.exe command line into a Powershell function.

The Script

This is the function we have created. You see, really simple and basic…

Function CheckDuplicateSPN
{
$StrRptFolder=”C:\Report_SPN”

#—- Using SetSpn.exe to check Duplicate SPN ———-

$SPNResult=Join-Path $strRptFolder “DuplicatesSPN.txt”
$spncmd=”setspn -X -p >$SPNResult”
Invoke-Expression $spncmd

}

#—– Call the function to execute the code —-

CheckDuplicateSPN

The script is self-explanatory.  Using the option -X of setspn.exe utility, you can detect duplicates SPN within your infrastructure. Using the command line utility, the process is much more faster than simply using the powershell script to query Active Directory for duplicate SPN’s

Final Note

So far, we have decided to use the SetSPN.exe utility to check for duplicate SPNs because simple to use and quite fast.  However, we have noticed that the results between the Powershell Script and the command line utility differs time to time.  The Powershell Script reports some duplicates SPN when setspn.exe says  that no duplicates have been found.

Interesting indeed…

Till Next Time

See ya