Listing what's already mapped treschaud33 at
Mon Oct 1 12:45:47 EDT 2007

On Oct 1, 11:27 am, "Christopher D. Clausen" <cclau... at> wrote:
> from a cmd.exe prompt (on a computer joined to this domain,) you can run
> net group "domain computers" /domain to get a list all every computer
> account.  (Assuming you are indeed using computer accounts and not user
> accounts.)
> You can then run the setspn.exe -L "computername" for each computername
> in the above list to see what mappings have been assigned.
> I do not know of a way to specifically list computers with modified SPNs
> without checking each and every object.
> <<CDC

Thanks for responding.  This didn't work though.  It says "Cannot find
account SERVER10."  I tried this a few different ways with no luck.
Even if this did work there are too many machines in the the domain to
check (500+).

I noticed that if I look at the properties of the mapped user in the
the Active Directory tool it shows the last machine name as the User
Logon Name on the Account tab.  Is there anyway to enumerate this a
see all the Logon names?

More information about the Kerberos mailing list