Add OutputScriptOnly to Set-DbaSpn

Question

Add OutputScriptOnly to Set-DbaSpn

KennyNeal opened this issue 3 months ago · comments

Summarize Functionality

DBAs do not always have permission to change AD. Set-DbaSpn could export the setspn scripts that could be handed off to a team with proper permissions. This is similar to what can be generated from the Kerberos Configuration Manager for SQL Server.

Is there a command that is similiar or close to what you are looking for?

No

Technical Details

Kerberos Configuration Manager for SQL Server

Matt Cargile · Answer 1 · Wed Mar 27 2024 17:28:45 GMT+0800 (China Standard Time)

It might work better as a property on the Test-DbaSpn output?

Andreas Jordan · Answer 2 · Mon Apr 01 2024 03:53:22 GMT+0800 (China Standard Time)

Looking at the code, I don't see an easy way to do that. The code is working with methods of the ad objects, not creating some kind of script.

Maybe you can provide an example "script" that you would like to be created.

Matt Cargile · Answer 3 · Tue Apr 02 2024 00:45:41 GMT+0800 (China Standard Time)

After thinking about this more, I really think a better solution is to use something like the below. This will produce a setspn.cmd that will create the applicable SPNs. It won't add the Kerberos Delegation that Set-DbaSpn does though.

test-dbaspn computername | ForEach-Object { "setspn -S $($_.requiredspn)" } | Set-Content setspn.cmd

I'm not sure if dbatools should get into dynamically creating setspn commands?

Andreas Jordan · Answer 4 · Thu Apr 04 2024 03:50:16 GMT+0800 (China Standard Time)

I see this clearly out of scope of dbatools and will not work on this issue.