Invoke-SqlSpnExecutionEngine

« All commands

Invoke-SqlSpnExecutionEngine Executes an SPN plan: optional permission preflight, forest-wide duplicate check, then registration, with audit logging.

Read / Write Pipeline-friendly SqlSpnManager v1.4.0

Description

For the supplied plan:

(Per DR-108) Unless -SkipPreflight is set, runs Test-SqlAdPermission on Plan.AccountDn before registration. If the caller is missing the rights needed to write SPNs, emits a structured warning and continues — setspn will surface the actual error if the static check missed delegation.
For each SPN, runs setspn -Q (with -T when CrossForest is set) to detect an existing registration anywhere in the forest.
Skips and logs a WARN entry on conflict.
Otherwise runs setspn -S (with -T when CrossForest) to register the SPN against the plan's AccountDn.

Honors ShouldProcess so callers can use -WhatIf and -Confirm.

Recipes

Recipe 1

EXAMPLE 1

$plan | Invoke-SqlSpnExecutionEngine -WhatIf

Recipe 2

EXAMPLE 2

$plan | Invoke-SqlSpnExecutionEngine -SkipPreflight

Recipe 3

EXAMPLE 3

$result = $plan | Invoke-SqlSpnExecutionEngine -PassThru
$result.OverallStatus      # e.g. AllRegistered | Completed | PartialFailure
$result.Spns | Where-Object Action -eq 'Failed'

Notes

Pester mocks Invoke-SqlSpnNativeCall to substitute setspn.exe in tests. The preflight check is best-effort and warn-only; per DR-108 it never blocks registration on its own decision.

Parameters

-Plan required PSObject pipeline

Output of New-SqlSpnPlan. Required fields: AccountDn, ProposedSpns, TargetDomain, CrossForest.

-SkipPreflight optional SwitchParameter

Skip the Test-SqlAdPermission check. Use when the static ACL inspection is known to misfire in your environment (delegation patterns it can't see) or when you want to attempt registration regardless and let setspn surface any real error.

-PassThru optional SwitchParameter

Opt-in. Also return a structured SqlSpn.ExecutionResult object describing the per-SPN outcome and an overall status. Off by default so existing callers (the wizard, human operators) see no behaviour change. Added per DR-308 for programmatic consumers (e.g. SqlInstanceForge) that need a machine-readable result instead of scraping the audit log. The console output and audit log are written exactly as before, in addition.

-WhatIf optional SwitchParameter

-Confirm optional SwitchParameter

Was this page helpful? Report an issue or suggest an improvement →