2XXE-SRA · March 23, 2021 19:51
diff --git a/spn.ps1 b/spn.ps1
 # adapted from https://stackoverflow.com/a/6291111
 # 
 # TargetObject = account with SPN
 #   $TargeObject = "LDAP://CN=foo,CN=Users,DC=contoso,DC=local"
 # Identity = identity to be put in ACE
 #   $Identity = [security.principal.ntaccount]"contoso\user"
 #   $Identity = [security.principal.securityidentified]"S-1-1-0"
 # Deny = deny or allow access
 Function Set-SpnPermission {
    param(
        [adsi]$TargetObject,
        [Security.Principal.IdentityReference]$Identity,
        [switch]$Deny
    )
    $spnSecGuid = new-object GUID "f3a64788-5306-11d1-a9c5-0000f80367c1"

    if($Deny){$access = "Deny"} else { $access = "Allow"}
    $adRight=[DirectoryServices.ActiveDirectoryRights]"ReadProperty"
    $accessRuleArgs = $identity,$adRight,$access,$spnSecGuid,"None"
    $spnAce = new-object DirectoryServices.ActiveDirectoryAccessRule $accessRuleArgs
    $TargetObject.psbase.ObjectSecurity.AddAccessRule($spnAce)
    $TargetObject.psbase.CommitChanges()    
    return $spnAce
 }
	# adapted from https://stackoverflow.com/a/6291111
	#
	# TargetObject = account with SPN
	# $TargeObject = "LDAP://CN=foo,CN=Users,DC=contoso,DC=local"
	# Identity = identity to be put in ACE
	# $Identity = [security.principal.ntaccount]"contoso\user"
	# $Identity = [security.principal.securityidentified]"S-1-1-0"
	# Deny = deny or allow access
	Function Set-SpnPermission {
	param(
	[adsi]$TargetObject,
	[Security.Principal.IdentityReference]$Identity,
	[switch]$Deny
	)
	$spnSecGuid = new-object GUID "f3a64788-5306-11d1-a9c5-0000f80367c1"

	if($Deny){$access = "Deny"} else { $access = "Allow"}
	$adRight=[DirectoryServices.ActiveDirectoryRights]"ReadProperty"
	$accessRuleArgs = $identity,$adRight,$access,$spnSecGuid,"None"
	$spnAce = new-object DirectoryServices.ActiveDirectoryAccessRule $accessRuleArgs
	$TargetObject.psbase.ObjectSecurity.AddAccessRule($spnAce)
	$TargetObject.psbase.CommitChanges()
	return $spnAce
	}