<# .SYNOPSIS Add Service Principal Name to a ITD AD Service Account .DESCRIPTION Add Service Principal Name to a ITD AD Service Account .NOTES example using setspn: setspn.exe -s MSSQLSvc/test.nd.gov:1433 ndgov\svctest setspn.exe -s MSSQLSvc/test:1433 ndgov\svctest setspn.exe -s MSSQLSvc/test.nd.gov ndgov\svctest setspn.exe -s MSSQLSvc/test ndgov\svctest setspn.exe -s MSSQLSvc/test.nd.gov ndgov\svctest .LINK #> [CmdletBinding()] Param( [string] $SamAccountName, [Parameter(HelpMessage = "Multiple entries can be submitted if the field loses focus, and you go back to it. For example, after each entry hit Tab, then Shift-Tab back.")] [string[]] $ServicePrincipalName = $null ) Write-Verbose -Message "Prep Variables and Connections" switch ($UAJob.ComputerName) { "ITDWINAUTOT1" { $ServiceNowEnvironment = 'Test' } "ITDWINAUTOP1" { $ServiceNowEnvironment = 'Production' } } $RequestedBy = $UAJob.Identity.Name # user that started the job $PSUJobId = $UAJob.Id $StartDateTime = Get-Date Write-Verbose -Message "Find AD User" -Verbose $ADUser = Get-ADUser -Identity $SamAccountName -ErrorAction Stop Write-Verbose -Message "Add SPN(s)" -Verbose try { $ServicePrincipalName | ForEach-Object { Write-Verbose -Message ("Attempt to add SPN value " + $_) -Verbose $ADUser | Set-ADUser -ServicePrincipalNames @{Add=$_} } } catch { Write-Error $Error[0] } Start-Sleep -Seconds 2 Write-Verbose -Message "No errors when adding the SPNs, listing the SPNs here for human validation" -Verbose $ValidateUser = Get-ADUser -Identity $SamAccountName -Properties ServicePrincipalNames | Select-Object SamAccountName, ServicePrincipalNames $ValidateUser.ServicePrincipalNames Write-Verbose -Message "Generate ServiceNow CHG" -Verbose Write-Verbose -Message ("UAJob.ComputerName = " + $UAJob.ComputerName) -Verbose New-ITDServiceNowSession -Environment $ServiceNowEnvironment -Credential $Secret:snow_vmcred -Verbose $NewITDServiceNowChangeRequestParams = @{ TemplateName = 'NDIT-SPS-Server Add/Chg/Del' RequestedByUsername = $RequestedBy.split('@')[0] -replace 'prv'; Category = 'Systems Platforms - Systems'; Subcategory = 'Windows'; Impact = 3; ShortDescription = "ServicePrincipalName added to ndgov\$SamAccountName - PSU Job Id $PSUJobId"; Description = "ServicePrincipalName added to ndgov\$SamAccountName - PSU Job Id $PSUJobId, see notes for details"; Justification = "ServicePrincipalName is required to be added to Active Directory Service Accounts by some applications"; Implementation = "PSUniversal execution"; RiskImpactAnalysis = "Low"; BackoutPlan = "Remove the new service principal name from the serviceprincipalname attribute." TestPlan = "n/a" WhoIsImpacted = "Windows System Administrators"; StartTime = $StartDateTime EndTime = $StartDateTime.AddMinutes(1); AssignmentGroup = 'NDIT-Computer Systems Windows'; ChangeManagerUsername = 'khellman'; ChangeCoordinatorUsername = 'gpgolberg'; AssignedToUsername = $RequestedBy.split('@')[0] -replace 'prv'; } $CHG = New-ITDServiceNowChangeRequest @NewITDServiceNowChangeRequestParams -Verbose $CHGNum = $CHG.Number.value Write-Verbose -Message ("Completing SNow " + $CHG.Number.value) -Verbose $CompleteITDServiceNowChangeRequestParams = @{ Number = $CHG.Number.value CloseCode = "Successful" CloseNotes = "ServicePrincipalNames added to ndgov\$SamAccountName - PSU Job Id $PSUJobId`n" + ($ServicePrincipalName | ForEach-Object {$_}) } Complete-ITDServiceNowChangeRequest @CompleteITDServiceNowChangeRequestParams -Verbose