Find the MS SQL Servers by using SPN in your AD


In an old post, I was writing about the commands you could use to retrieve the list of your RDS Licensing servers in a domain.

Generalizing this LDAP Filter example, you can retrieve a list of Service Principal Names enabled accounts. The examples are as follows:

In the powershell syntax with Filter you can not write something like { servicePrincipalName -ne $null}.

If you want to narrow down your searches to the SQL Servers for which Kerberos is enabled you can use

Refinements to that query could be to target SQL Servers SPN on computer objects when you are using SYSTEM / NT Service accounts or on the contrary user accounts when you are using domain users. Such filters would be:

Additional complex filters can be found in the Active Directory filter Powershell help page.

Get-ADObject is a more generic Powershell cmdlet as its Get-ADComputer and Get-ADUser counterparts, as it doesn’t assume an objectCategory hence its broader use but more complex syntax.

Always remember that the syntax of the LDAPFilter immediately matches the one you find in the dsquery command, whereas the Filter option must be written using Powershell Script block Syntax.

Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.