A follow-up to the post below.
I tried delegating the ability to write SPNs (Service Prinicipal Names, used for Kerberos) to a non-Domain admin who did not have full control on the server objects. Since this is a really big organization I also did not want to grant him full control on those objects (Politics...)
I thought delegating this shouldn't be a big deal, so I gave his account the permission "Validated write to service principal name" and applied to all computer objects in the servers OUs.
Of course it doesn't work. Instead of "insufficient permissions" we now got the error 0x200b/8203 -> The attribute syntax speified to the directory service is invalid. when using SETSPN.
I checked Microsoft's documentation, and sure enough it says I only need "Validated write to service principal name". I used the network to see what it actually tries to write, and it only seems to be the SPN attribute.
I then assigned full control to the account, and then he was able to write the SPNs. Long story short, after some educated guessing it looks like he also needs the "write public information" permission.
Subscribe to:
Post Comments (Atom)
1 comment:
It's surprising how I couldn't find this info anywhere until I saw this. Thanks
Post a Comment