Sysadmins of the North

Technical blog, where topics include: computer, server, web, sysadmin, MySQL, database, virtualization, optimization and security

List all SPNs used in your Active Directory

There are a lot of hints & tips out there for troubleshooting SPNs, or Service Principal Names. Listing duplicate SPNs is fairly easy, just use setspn -X on your command-line and you’ll find out. But how do you find out which SPNs are used for which users and computers are used for this?

SetSPN command-line

Quite some scripts assume you’re looking for a specific SPN (HTTP/…), a specific user, or a specific computer. For example, using setspn to find SPNs linked to a certain computer:

setspn -L <ServerName>

Or setspn to find SPNs linked to a certain user account:

setspn -L <domain\user>

And now you need a general script to list all SPNs, for all users and all computers…

Nice fact to know, SPNs are set as an attribute on the user or computer accounts. That makes it fairly ease to query for that attribute.

And modern admins do PowerShell, right?

List SPNs using Powershell

So… Save the following code into a new PowerShell .ps1 file and run it in your domain. It’ll list the SPNs.

# Source / credit:

$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(servicePrincipalName=*)"

## You can use this to filter for OU's:
## $results = $search.Findall() | ?{ $_.path -like '*OU=whatever,DC=whatever,DC=whatever*' }
$results = $search.Findall()

foreach( $result in $results ) {
	$userEntry = $result.GetDirectoryEntry()
	Write-host "Object Name = " $ -backgroundcolor "yellow" -foregroundcolor "black"
	Write-host "DN      =      "  $userEntry.distinguishedName
	Write-host "Object Cat. = "  $userEntry.objectCategory
	Write-host "servicePrincipalNames"

	foreach( $SPN in $userEntry.servicePrincipalName ) {
		Write-host "SPN(" $i ")   =      " $SPN
	Write-host ""

Or use dsquery on your CMD.exe command-line:

dsquery * "ou=domain controllers,dc=yourdomain,dc=com" -filter "(&(objectcategory=computer)
(servicePrincipalName=*))" -attr distinguishedName servicePrincipalName > spns.txt

This is a valuable script and information reference for your own documentation.

Want to say thanks?

If I’ve helped you out and you want to thank me, why not buy me a coffee?

If I’ve helped you out and you want to thank me, why not buy me a coffee?

Thank you for your support. ♥


The need for speed: Google dedicates engineering team to accelerate development of WordPress ecosystem


Set WP_MEMORY_LIMIT value correctly in wp-config.php


  1. John Doe

    it is better to

    setspn -Q */*

    • Thanks for your addition!

      Update, a note to “John Doe’s” -Q addition: it seems like the -Q query modifier is removed in Windows Server 2016 and up. It’s available in the help of my Windows Server 2012 R2 servers, but not in 2016:

      d:\deployment>setspn /?
      Usage: setspn [switches data] computername
        Where "computername" can be the name or domain\name
         -R = reset HOST ServicePrincipalName
          Usage:   setspn -R computername
         -A = add arbitrary SPN
          Usage:   setspn -A SPN computername
         -D = delete arbitrary SPN
          Usage:   setspn -D SPN computername
         -L = list registered SPNs
          Usage:   setspn [-L] computername
      setspn -R daserver1
         It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}"
      setspn -A http/daserver daserver1
         It will register SPN "http/daserver" for computer "daserver1"
      setspn -D http/daserver daserver1
         It will delete SPN "http/daserver" for computer "daserver1"
  2. Jan

    Hé this is a great way to list all SPN’s used in my active directory network, thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

Powered by WordPress & Theme by Anders Norén

17 queries, 0.393 seconds running PHP version 7.3.0 OFwgi Gy