SqlSpnManager

1.4.0

Private/Resolve-SqlSpnVirtualAccount.ps1

                                # =============================================================================

# Script  : Resolve-SqlSpnVirtualAccount.ps1

# Author  : Keith Ramsey

# =============================================================================

# Change Log

# -----------------------------------------------------------------------------

# 2026-05-09  Keith Ramsey  Phase 2 release polish - DR-202 standard header applied.

# =============================================================================

function Resolve-SqlSpnVirtualAccount {

    <#

    .SYNOPSIS

        Redirects a virtual / built-in service identity to a real AD account name.

    .DESCRIPTION

        SQL services often run under virtual or built-in identities ('NT Service\MSSQLSERVER',

        'NT Service\MSSQL$INSTANCE', 'LocalSystem', 'NT AUTHORITY\NetworkService') that

        are not real Active Directory principals. SPN registration requires a real AD

        identity. The conventional redirect is the Computer Object identity

        ($env:COMPUTERNAME$) for Standalone and AlwaysOn-listener registrations.

        Per Dev Rules �11. FCI Engine registrations have a different redirect target

        (the cluster Virtual Computer Object) and are handled separately by

        Resolve-SqlSpnFciCno from inside New-SqlSpnPlan.

    .PARAMETER AccountName

        The raw account name as it appears on the SQL service (e.g., 'NT Service\MSSQLSERVER',

        'LocalSystem', or already a real AD account like 'svc_sql_prod').

    .OUTPUTS

        [string] resolved account name. Returns the input unchanged if it is already a

        real AD-shaped identity.

    .NOTES

        This redirect is for non-FCI scenarios. FCI Engine targets the cluster VCO via

        Resolve-SqlSpnFciCno; the wrappers (Start-SqlSpnManager, Start-SqlSpnConfiguration)

        invoke the appropriate redirect path based on the chosen scenario.

    #>

    [CmdletBinding()]

    param([Parameter(Mandatory=$true)][string]$AccountName)

    $virtualPatterns = @(

        '^NT Service\\',

        '^NT AUTHORITY\\',

        '^LocalSystem$',

        '^LocalService$',

        '^NetworkService$'

    )

    foreach ($pattern in $virtualPatterns) {

        if ($AccountName -match $pattern) {

            $resolved = "$env:COMPUTERNAME`$"

            Write-Verbose "Redirecting virtual identity [$AccountName] to local computer object [$resolved]."

            return $resolved

        }

    }

    return $AccountName

}