< Back
Grant-SPNWriteOnProtectedADObjects
Post
NAME Grant-SPNWriteOnProtectedADObjects
SYNOPSIS
The NETWORK SERVICE principal attempts to register SPNs on servers, most commonly WSMAN, but is unable to due to
default permissions.
Explicity setting an Access Control Entry (ACE) on the computer object will only temporarily work in some cases
because the AdminSDHolder ACL does not include
the NETWORK SERVICE principal and the recurring SDProp task replaces protected objects' ACLs with the ACL on the
AdminSDHolder object. Domain controllers are the
typical example of computer objects affected by this security design. This cmdlet sets the permissions on the
AdminSDHolder object so that updated ACL entries
on protected objects, like domain controllers, are not overwritten.
SYNTAX
Grant-SPNWriteOnProtectedADObjects [-IncludeDomainControllers] [[-Credential] <PSCredential>] [<CommonParameters>]
DESCRIPTION
This cmdlet runs against each domain in the current forest and Enterprise Admin privileges are required.
The Grant-SPNWriteOnProtectedADObjects cmdlet adds the NETWORK SERVICE principal with the "Validated Write to
Service Principal Name" right to the AdminSDHolder
container so that protected objects do not have their ACLs overwritten when they are fixed to resolve EventId 10154
The error that is received on a protected computer/server will look like the following if this command needs to be
run:
-----------
The WinRM service failed to create the following SPNs: WSMAN/servername.fqdn; WSMAN/servername
Additional Data
The error received was 1355: %%1355.
User Action
The SPN can be created by an administrator using setspn.exe utility.
-----------
A background process, Security Descriptor Propagator Update (SDProp), on the PDC emulator runs every 60 minutes
(by default) and compares the ACL of the AdminSDHolder
object with the ACL of the protected users, group and computers. If there are any differences it overwrites them.
PARAMETERS
-IncludeDomainControllers [<SwitchParameter>]
The updated ACL entries are also added to the domain controllers in the defined domain.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Credential <PSCredential>
Specifies a user account that has permission to perform this action. The default is the current user.
Type a user name, such as "User01" or "Domain01\\User01", or enter a PSCredential object, such as one generated
by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password.
Required? false
Position? 1
Default value [System.Management.Automation.PSCredential]::Empty
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
None
NOTES
AUTHOR: Michael Haken
LAST UPDATE: 1/7/2017
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Grant-SPNWriteOnProtectedADObjects
Configures the permissions on the AdminSDHolder object in each domain of the current forest.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>Grant-SPNWriteOnProtectedADObjects -IncludeDomainControllers
Configures the permissions on the AdminSDHolder object in each domain of the current forest. It also enables the
NETWORK SERVICE principal to write SPNs
on domain controller objects.
RELATED LINKS
SYNOPSIS
The NETWORK SERVICE principal attempts to register SPNs on servers, most commonly WSMAN, but is unable to due to
default permissions.
Explicity setting an Access Control Entry (ACE) on the computer object will only temporarily work in some cases
because the AdminSDHolder ACL does not include
the NETWORK SERVICE principal and the recurring SDProp task replaces protected objects' ACLs with the ACL on the
AdminSDHolder object. Domain controllers are the
typical example of computer objects affected by this security design. This cmdlet sets the permissions on the
AdminSDHolder object so that updated ACL entries
on protected objects, like domain controllers, are not overwritten.
SYNTAX
Grant-SPNWriteOnProtectedADObjects [-IncludeDomainControllers] [[-Credential] <PSCredential>] [<CommonParameters>]
DESCRIPTION
This cmdlet runs against each domain in the current forest and Enterprise Admin privileges are required.
The Grant-SPNWriteOnProtectedADObjects cmdlet adds the NETWORK SERVICE principal with the "Validated Write to
Service Principal Name" right to the AdminSDHolder
container so that protected objects do not have their ACLs overwritten when they are fixed to resolve EventId 10154
The error that is received on a protected computer/server will look like the following if this command needs to be
run:
-----------
The WinRM service failed to create the following SPNs: WSMAN/servername.fqdn; WSMAN/servername
Additional Data
The error received was 1355: %%1355.
User Action
The SPN can be created by an administrator using setspn.exe utility.
-----------
A background process, Security Descriptor Propagator Update (SDProp), on the PDC emulator runs every 60 minutes
(by default) and compares the ACL of the AdminSDHolder
object with the ACL of the protected users, group and computers. If there are any differences it overwrites them.
PARAMETERS
-IncludeDomainControllers [<SwitchParameter>]
The updated ACL entries are also added to the domain controllers in the defined domain.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Credential <PSCredential>
Specifies a user account that has permission to perform this action. The default is the current user.
Type a user name, such as "User01" or "Domain01\\User01", or enter a PSCredential object, such as one generated
by the Get-Credential cmdlet. If you type a user name, you will be prompted for a password.
Required? false
Position? 1
Default value [System.Management.Automation.PSCredential]::Empty
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
None
NOTES
AUTHOR: Michael Haken
LAST UPDATE: 1/7/2017
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Grant-SPNWriteOnProtectedADObjects
Configures the permissions on the AdminSDHolder object in each domain of the current forest.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>Grant-SPNWriteOnProtectedADObjects -IncludeDomainControllers
Configures the permissions on the AdminSDHolder object in each domain of the current forest. It also enables the
NETWORK SERVICE principal to write SPNs
on domain controller objects.
RELATED LINKS