Granting Microsoft Active Directory Users \ Groups ability to set Service Principal Names (SPN)

Granting Microsoft Active Directory Users \ Groups ability to set Service Principal Names (SPN)

Occasionally, support personnel such as IIS & MS SQL Server (DBA) Administrators need to be able to setspn.

  1. Launch MS Active Directory (AD) Users & Computers
  2. Create an Organization Unit (OU) – Group Scope – Global // Security Type – Security
    • Select Domain Name
    • Right click on the domain name
    • From the drop-down menu select New/ Group
    • On the “New Object – Group” screen – Enter Group Name, for Group Scope select “Global”, for “Group Type” select “Security”
    • Click “OK” to effect
  3. Move Computers to the created OU
  4. Grant Permission to OU
    • On the right panel of the screen, select the recently created OU
    • Access the “Security” tab
    • Select the Add button and from the “Select Users\Computers\Groups” screen, choose the group to be assigned permissions
    • Click the “Advanced button”
    • The “Advanced Security Settings for ..” dialog appears
    • Click the “Add” button
    • The “Select User\Computer\Group” dialog appears
    • De-select all other “Object Types” but Groups
    • Enter the “group name” or search for the Group name
    • On the “Permission Entry for <groupname>” screen
    • On the “Apply unto” entry, select “Computer Objects”
    • Once the “Computer Objects” entry is selected, the list of permissions is extended to include “Validated Write to Service Principal Names”
    • Click OK as many times as needed to effect

Suggested Reading

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s