Service principle name attribute changes are being reported as made by System or by computer account

Active Directory
6.5 and older
Copy Article URL Copied

The Service Principle Name attribute allows a service on a particular server to be associated with an account responsible for the management of the service, thereby permitting mutual Kerberos authentication.  Changes to this attribute are usually being made by the System in response to the operating system changes on a specific computer: For example, installation of operating system updates, computer name changes, installation of SQL Server and others.

Change Type Object Type When Changed Who Changed Where Changed Workstation Object Name Details
Modified computer 12/16/2013 11:34:24 AM DOMAINXVISIO$ ptdc.domainx.local unknown localdomainxComputersVISIO Service Principle Name: Added: “WSMAN/visio;WSMAN/visio.domainx.local;TERMSRV/VISIO;TERMSRV/visio.domainx.local”

The “Who changed” filed for the Service Principle Name attribute changes may contain the following:

  • As made by a computer account with $ prefix(DOMAINXVISIO$):  the Service Principle Name attribute was changed by the “local system” service from the computer
  • As made by a domain controller account with $ prefix (DOMAINXPTDC$): the  Service Principle Name attribute was changed by “local system” service on the domain controller
  • As made by  the “System” account: the  Service Principle Name attribute was changed by the System  (Active Directory) in response to the  operating system changes on computer, but the corresponding security event has not been generated for this system change.
  • When made by an actual user account: the  Service Principle Name attribute was changed manually

Considering the fact that the Service Principle Name attribute is being changed only for system purpose we recommend to exclude this attribute from reporting by adding the *.ServicePrincipleName line into the omitproplist.txt file which is located in the NetWrix Auditor installation directory (by default C:Program Files (x86)Netwrix AuditorActive Directory Auditing).  Please also check the unomitproplist.txt file located in the same directory and remove the *.ServicePrincipleName line.

For more information regarding Service Principle Name attribute and its usage please refer to the following Microsoft KB articles:

Go Up