search

dataplat / dbatools

🚀 SQL Server automation and instance migrations have never been safer, faster or freer
https://dbatools.io
MIT License
2.44k stars 796 forks source link

Add OutputScriptOnly to Set-DbaSpn #9270

Open KennyNeal opened 6 months ago

KennyNeal commented 6 months ago

Summarize Functionality

DBAs do not always have permission to change AD. Set-DbaSpn could export the setspn scripts that could be handed off to a team with proper permissions. This is similar to what can be generated from the Kerberos Configuration Manager for SQL Server.

Is there a command that is similiar or close to what you are looking for?

No

Technical Details

Kerberos Configuration Manager for SQL Server

mattcargile commented 6 months ago

It might work better as a property on the Test-DbaSpn output?

andreasjordan commented 6 months ago

Looking at the code, I don't see an easy way to do that. The code is working with methods of the ad objects, not creating some kind of script.

Maybe you can provide an example "script" that you would like to be created.

mattcargile commented 6 months ago

After thinking about this more, I really think a better solution is to use something like the below. This will produce a setspn.cmd that will create the applicable SPNs. It won't add the Kerberos Delegation that Set-DbaSpn does though.

test-dbaspn computername | ForEach-Object { "setspn -S $($_.requiredspn)" } | Set-Content setspn.cmd

I'm not sure if dbatools should get into dynamically creating setspn commands?

andreasjordan commented 6 months ago

I see this clearly out of scope of dbatools and will not work on this issue.