SqlSpnManager

1.4.0

Enterprise SPN governance for SQL Server. Manages Service Principal Name registration across Standalone, AlwaysOn, and FCI scenarios with forest-wide duplicate detection, cross-forest -T flag handling, FCI cluster Virtual Computer Object auto-resolution, AD ACL preflight, per-invocation audit logging, and Windows Event Log SIEM-readiness. v1 public surface is the lab-
Enterprise SPN governance for SQL Server. Manages Service Principal Name registration across Standalone, AlwaysOn, and FCI scenarios with forest-wide duplicate detection, cross-forest -T flag handling, FCI cluster Virtual Computer Object auto-resolution, AD ACL preflight, per-invocation audit logging, and Windows Event Log SIEM-readiness. v1 public surface is the lab-proven Engine core: Role in {Engine, Agent} x Scenario in {Standalone, AlwaysOn, FCI}. Export-SqlSpnRegistrationScript renders a plan into a clean setspn command bundle for AD-segregated organisations where a sysadmin executes the registration. SSAS, SSRS, PBIRS, Browser, and the MSDTC scenario are deferred as named, demand-sequenced, prove-before-expose post-v1 expansions (DR-309). See Docs\\DECISIONS_PHASE3.md (DR-309, DR-311).
Show more

Minimum PowerShell version

5.1

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name SqlSpnManager -RequiredVersion 1.4.0

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name SqlSpnManager -Version 1.4.0

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) Keith Ramsey. All rights reserved.

Package Details

Author(s)

  • Keith Ramsey

Tags

SQL SPN Kerberos ActiveDirectory AD FCI AlwaysOn AG Authentication Audit EventLog SIEM DBA Governance ServicePrincipalName CrossForest gMSA ManagedServiceAccount Windows

Functions

Add-SqlSpn Assert-SqlAccountStandard Export-SqlSpnRegistrationScript Get-SqlSpnAccount Get-SqlSpnDiscoveryEngine Get-SqlSpnInfrastructure Invoke-SqlSpnExecutionEngine New-SqlSpnPlan Remove-SqlSpn Show-SqlSpnDiagnostic Start-SqlSpnConfiguration Start-SqlSpnManager Test-SqlSpnPlan

PSEditions

Desktop Core

Dependencies

This module has no dependencies.

Release Notes

v1.4.0 (Phase 3 close - DR-309 + DR-311):
- Public surface narrowed to the lab-proven Engine core (DR-309):
 Role in {Engine, Agent} x Scenario in {Standalone, AlwaysOn, FCI}.
 SSAS, SSRS, PBIRS, Browser, MSDTC deferred as named, demand-sequenced,
 prove-before-expose post-v1 expansions (internal tables unchanged).
- Added Export-SqlSpnRegistrationScript (DR-311): renders a plan into a
 clean setspn command bundle for an AD admin to execute. Supports Cmd
 and PowerShell formats. Output carries provenance: module version,
 plan GUID, UTC stamp, target account sAMAccountName + DN. Closes the
 workflow for AD-segregated organisations (regulated environments,
 anywhere the DBA does not have AD write rights).
- DR-307 closed as documented v1 limitation (option c): English-locale
 assumption for setspn success detection; engineered fix deferred as a
 named post-v1 increment, reopens on real demand signal.
- DR-310 (Level 1 testing standard) implemented across the unit suite:
 tests run our own real functions and substitute ONLY the true external
 edge (setspn / AD cmdlets / OS APIs). Surfaced and removed a tautology
 test and a 30s remote-registry network hang.
- 213/213 Pester 5 tests; PSScriptAnalyzer gate clean; lab-validated
 Waves 1-3 on a real domain 2026-05-17.

FileList

Version History

Version Downloads Last updated
1.4.1 0 5/24/2026
1.4.0 (current version) 0 5/24/2026