Hello everyone!
There is a task from the Linux system environment to register its SPN record in Active Directory. To do this, you need Domain Admins rights.
Tell me, is it possible to delegate the rights to create such SPNs (for linux machines and systems) in Active Directory, for example, to a group of Linux admins, so as not to grant them Domain Admins rights? If so, what permissions will be required to delegate to a user or group?
Thanks!
Hi,
You can delegate a user account to edit SPN attribut in active directory on service account or computer object:
You can apply the delegation on all child object under a OU:
Please don't forget to mark helpful reply as answer
Hello everyone!
Tell me, can it happen that this delegation will allow you to create a duplicate SPN?
AD is large enough and roughly speaking, one object in AD can be linked to several SPNs, and how would it not happen that when delegating and creating SPN, whatever other service in AD will stop working?
Or write a script on Posh that will check the identity of the SPN?
Link to a related question:delegation-of-authority-to-create-an-spn.html
Thanks!
I've responded to your separate question, but you can't assign an SPN entries to multiple objects if the domain controllers are Window 2012R2 and above.
Tell me, can it happen that this delegation will allow you to create a duplicate SPN?
Yes, it's possible when the admin don't use the command setspn -S to add a SPN . Setspn -A or add spn by editing AD attribute can generate a duplicate SPN.
The only way to prevent duplicate SPN when you generate new one is to use setspn -s
AD is large enough and roughly speaking, one object in AD can be linked to several SPNs, and how would it not happen that when delegating and creating SPN, whatever other service in AD will stop working?
In this case you should delete duplicate SPN by removing SPN on wrong computer or service account
Please don't forget to mark helpful reply as answer
17 people are following this question.
