Validate SPN mappings using Windows PowerShell

 

What is a SPN mapping?

A Service Principal Name (SPN) mapping allows a service running on an Active Directory computer to be associated with a domain account that are responsible for the management of the service. This allows the use of mutual Kerberos authentication, and an account defined in a SPN mapping are able to request Kerberos tickets on the requesting users behalf. Examples of services that uses Kerberos and SPN mappings include SQL Servers, web servers, LDAP servers, Exchange servers and so on.

Validation of SPN mappings

A SPN mapping must be unique within an Active Directory domain, and duplicate mappings will result in problems for the involved services.

While the command line tool setspn.exe, which are used for managing SPN mappings also can be used for queries, I wanted to use Windows PowerShell to accomplish this. Ive put together a script module with two functions:
Resolve-SPN – Resolves the provided SPN mapping
Resolve-AllDuplicateDomainSPNs – Resolves all SPN mappings in the domain and reports duplicate mappings

The script module are available on the TechNet Script Center Gallery, click here for the direct link.

Save the script module as a psm1-file in the following directory: %userprofile%DocumentsWindowsPowerShellModulesSPNValidation
 
You need to manually create the 3 subfolders under %userprofile%Documents if they doesnt exist.

When done, start Windows PowerShell and type the following command:

image

You should now see the SPNValidation module.
Import the module with the Import-Module cmdlet:

image

Resolve-AllDuplicateDomainSPNs can be executed without any parameters:

image

Resolve-SPN has one mandatory parameter: –SPN
Example usage:

image

Note that the PowerShell Active Directory module for Windows
Server 2008 R2 are required, because the Get-ADObject cmdlet are used in one of the script module
s functions.
The PowerShell Active Directory module are also available in Remote Server Administration Tools (RSAT) for Windows 7.

Automate Group Policy Preferences printer-management using Windows PowerShell

Ive written a couple of blog posts earlier on Group Policy Preferences and printer deployment using Group Policy.

Using Group Policy Preferences is a very flexible way to deploy printer connections. This is also very manageable in smaller environments. What if you got hundreds, or even thousands of printer connections you need to deploy? Do you want to sit down and make several thousands of mouse clicks to accomplish the task? There are better alternatives!

Based on SDM Softwares Group Policy Automation Engine, Ive created a script module to handle this. The script module are available from this link.

Save the script module as a psm1-file in the following directory: %userprofile%DocumentsWindowsPowerShellModulesGPPreferencesPrinters
You need to manually create the 3 subfolders under %userprofile%Documents if they doesn
t exist.

When done, start Windows PowerShell and type the following command:

image

You should now see the GPPreferencesPrinters module.
Import the module with the Import-Module cmdlet:

image

As you can see there are two functions in addition to SDM Software`s cmdlet: Add-GPPreferencesPrinter and Get-GPPreferencesPrinter.

Example 1:

image

Example 2:

If you got the printers listed in an Excel spreadsheet, save the document in csv-format:

image

The csv-file may be used like this to import the printer connections:

image

image

Additional functions and parameters will later be added to the script module, i.e. Remove-GPPreferencesPrinter and Item-Level Targeting. Note that example usage for Item-Level Targeting are provided in the Group Policy Automation Engine User Manual.

Outlook signature based on user information from Active Directory

To provide a consistent company image all users should use the same signature template in their Outlook profile. Ive created a Windows PowerShell-script to deploy a consistent Outlook signature to users, based on user information retrieved from Active Directory. Ive used the fields “Display name”, “Title, “E-mail” and “Telephone number”, however, additional fields may be added to suit your needs.

 

Step-by-step

1) Download the script from here. Save it to a UNC-path accessible for all users.

2) Adjust the custom variables:

image

3) From an Outlook client, create a signature based on your company template:

image

4) Copy the signature files from %appdata%MicrosoftSignatures to the UNC-path specified in the SigSource-variable in the script:

 

image

 

5) Open both Company Name.rtf and Company Name.htm in Microsoft Office Word and insert the following bookmarks:

image

Mark each word, e.g. “EmailAddress”, go to “Insert”, press the “Bookmark”-button and name the bookmark “EmailAddress”. It`s important that the names of the bookmarks are “DisplayName”, “Title”, “TelephoneNumber” and “EmailAddress”.
This is because these bookmarks are replaced by the information retrieved from Active Directory for the logged-on user.

6) When appropriately tested, deploy the script to end users. This may be accomplished by e.g. Group Policy:

image

 

Additional information

Sample signature created using Set-OutlookSignature.ps1:

image

Active Directory object for sample user:

image image

 

Settings are stored in HKCU in the registry:

image

A few notes:
-Existing signatures are preserved
-Users are allowed to make customizations to their signatures until a new version are deployed. Then the exisiting company-signature will be overwritten.

 

Update 21.11.2010: The script are improved by Darren Kattan. For details and updated instructions, see this blog-post.