Listing what's already mapped

Christopher D. Clausen cclausen at
Mon Oct 1 14:07:16 EDT 2007

treschaud33 at wrote:
> On Oct 1, 11:27 am, "Christopher D. Clausen" <cclau... at> wrote:
>> from a cmd.exe prompt (on a computer joined to this domain,) you can
>> run net group "domain computers" /domain to get a list all every
>> computer account.  (Assuming you are indeed using computer accounts
>> and not user accounts.)
>> You can then run the setspn.exe -L "computername" for each
>> computername in the above list to see what mappings have been
>> assigned.
> Thanks for responding.  This didn't work though.  It says "Cannot find
> account SERVER10."  I tried this a few different ways with no luck.
> Even if this did work there are too many machines in the the domain to
> check (500+).

It works for me.  Perhaps you are logged on a user in a different 

C:\>setspn -L KBS-CDC
Registered ServicePrincipalNames for 

It is pretty easy to write a for command to parse the net group output 
and then run setspn.

> I noticed that if I look at the properties of the mapped user in the
> the Active Directory tool it shows the last machine name as the User
> Logon Name on the Account tab.  Is there anyway to enumerate this a
> see all the Logon names?

You'd have to write a direct ldap query.  Again, I think you would need 
to query each object as there are adminitrative limits.

You may be able to use the ldp.exe tool to perform a query.  I'm not 
sure if the field you want is directly accessible though.  You might 
still need to query for that field on a per-object basis.


More information about the Kerberos mailing list