Listing what's already mapped
Christopher D. Clausen
cclausen at acm.org
Mon Oct 1 14:07:16 EDT 2007
treschaud33 at yahoo.com wrote:
> On Oct 1, 11:27 am, "Christopher D. Clausen" <cclau... at acm.org> wrote:
>> from a cmd.exe prompt (on a computer joined to this domain,) you can
>> run net group "domain computers" /domain to get a list all every
>> computer account. (Assuming you are indeed using computer accounts
>> and not user accounts.)
>> You can then run the setspn.exe -L "computername" for each
>> computername in the above list to see what mappings have been
> Thanks for responding. This didn't work though. It says "Cannot find
> account SERVER10." I tried this a few different ways with no luck.
> Even if this did work there are too many machines in the the domain to
> check (500+).
It works for me. Perhaps you are logged on a user in a different
C:\>setspn -L KBS-CDC
Registered ServicePrincipalNames for
It is pretty easy to write a for command to parse the net group output
and then run setspn.
> I noticed that if I look at the properties of the mapped user in the
> the Active Directory tool it shows the last machine name as the User
> Logon Name on the Account tab. Is there anyway to enumerate this a
> see all the Logon names?
You'd have to write a direct ldap query. Again, I think you would need
to query each object as there are adminitrative limits.
You may be able to use the ldp.exe tool to perform a query. I'm not
sure if the field you want is directly accessible though. You might
still need to query for that field on a per-object basis.
More information about the Kerberos