Comments (13)

  1. @Dr. D: I'm sorry you feel that way. But if you would have read the whole post, you would have seen that the complete working function is posted in the script repository at


  2. Anonymous says:

    Thanks for the script, was just about to write one like this myself when i found yours 🙂

    On a sidenote: Your script will only work on english operating Systems. Localized Versions (at least the german one) will fail to find the correct tasks because "run as user" and the local Service names vary. I can give you the german ones if you are interrested
    but i guess it would be too much of a hussle to Switch the locale in the script on the fly.

    One more Thing which might be nice for other users – if you build this block (that i copied out of one of my scripts) into yours you can also allow to select a OU and Sub-OUs to scan for accounts:

    #resolve computer names from OU
    $ComputerOU = ‘OU='[DN OF OU HERE]’
    $DomainControllerFQDN = ‘[FQDN of DC HERE]’
    $sess=new-pssession -computername $DomainControllerFQDN
    $CommandRes = invoke-command -session $sess -scriptblock {import-module ActiveDirectory}
    $ImportRes = Import-Pssession -Session $sess -module ActiveDirectory -Prefix Rem -Commandtype All
    $CompList = Get-RemADComputer -SearchScope Subtree -Filter {Enabled -eq "True"} -Properties * -SearchBase $ComputerOU | Select-Object -ExpandProperty CN

    $ComputerName = $CompList

    Remove-PSSession -Computername $DomainControllerFQDN -ErrorAction Stop
    catch [Exception]
    #silently ignore

    you would – of course, build that in through Parameters but it does ist job.

    Also note that the script will fail to query 2012 and up Servers for Tasks failing with "The task XML contains a value which is incorrectly formatted or out of range."

    I’m currently at getting a alternative query in place for those Systems

    Keep up the good work!

    1. Xbugsy says:

      I really like the idea of selecting the computers by OU but I am not sure how to incorporate this code into the original function? Could you provide some guidance? thanks

  3. Dr. D says:

    Crappy post.  So you write suggestions on how to do stuff but no real script offered.  

  4. MR says:

    Hello Martin,

    Very good article ! I tested the script on windows 7 and of course it works perfectly 🙂

    This post is very useful for manual SPN registration for Kerberos authentication.

    May I ask you some questions related with clusters and service accounts (under which they run) ?

    If ClusSvc account running as AD domain account (domainnameusername) for windows cluster service, how can I register spn for that account and should it be registered at all ?  And also what spn format must be used (regarding spn service class) ? I understand that cluster service account can run as Local System. But that's not my case because I found it configured to run as domain account in my company. If after that service configuration I enable windows clustername for Kerberos authentication same name computer account is created in AD as it should be. So I'm VERY CONFUSED because MSClusterVirtualServer/clustername (and also for FQDN) is registered to that computer account and I think it should be registered on clussvc account (domainnameusername).

    I searched internet for a month and tried everything (wireshark,netmon,kerberos debugging with KerbDebugLevel c0000043, many good articles and posts and blogs etc.) but I JUST DON'T KNOW how to get rid of the Event id 4 in system log (followed by event id 529 in security log) when requesting service that runs on that clustername machine. I'm running out of ideas, ANY HELP WOULD BE APPRECIATED !

    Everything I saw from network sniffing is KDC gives me a ticket for host/CLUSTERNAME but when i present it I get that error from CLUSTERNAME and I clearly see that the active node responds me with error (through GSS-API of DCE/RPC => servername(service and host) = clusternode(FQDN)). So it tries to decrypt ticket that is encrypted with PASSWORD OF CLUSTENAME computer account intended for CLUSTERNAME but I don't really know why ? This cannot ever work !

    The error is:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/CLUSTERNODE. The target name used was HOST/CLUSTERNAME. This indicates that the target server failed to decrypt the ticket provided by the client…

    I have looked at this these very useful archive links:…/kerberos-event-4-mit-fehler-code-krb-ap-err-modified-auf-windows-server-2003-sp2-cluster.aspx…/kerberos-delegation-end-to-end-part-i.aspx…/913327

    but doesn't much help about this specific error.

    DontUseNPSecureForRemote registry fix doesn't handle multiple 529 events but it works in order not to log this error on clusternode (Windows Server 2003 R2) although it logs it on the client (Windows 7).

    Anyway I still cannot figure out which service on cluster machine is misconfigured ???

    I'm pretty sure that DNS and AD replication are fine.

    Of course I'm looking forward to your next post.

    Best Regards and thanks very much in advance

  5. Guillaume says:


    For W2012 did you find a fix for the formatted or out of range error


  6. Bela Fisch says:

    Thx for this awesome script. I have exact the same problem as Guillaume. For Server OS > 2008R2, i am running into this: ERROR: The task XML contains a value which is incorrectly formatted or out of range

  7. Bela Fisch says:

    Thx for this awesome script. I have exact the same problem as Guillaume. For Server OS > 2008R2, i am running into this: ERROR: The task XML contains a value which is incorrectly formatted or out of range

  8. Bela Fisch says:

    Got the solution:
    i tried to run this script from a server 2008R2 Server on a server2012. This is the problem. If you run the script from a server2012, then it is working like a charm.

  9. Paolo DiLernia says:

    Thank you Martin! Worked great once I registered the script.

  10. David Currier says:

    Just ran your script and it’s fantastic, thanks.
    I did find one thing though. The Name column width causes it to truncate causing loss of additional information used to determine which service or application it is. Normally this wouldn’t be an issue, but in my case I have multiple services that are close in name. Is there a way to make it wider or is the value fixed?

  11. FloRod says:

    Script worked perfectly for me. To avoid the task error, I run the script off a W2012R2 machine.

    Thanks Again!

  12. EldadiO says:

    Hi Martin,
    Thank you for your contribution.
    This script can help me a lot…
    However, I am not sure why… when I run it on a windows 2012 R2 DC… i don’t get any output on screen…
    Not sure what I do wrong…

    Help or tips will be appreciated.

    the process:

    PS C:\Scripts> . .\Get-ServiceAccountUsage.ps1
    PS C:\Scripts> .\scripts\Get-ServiceAccountUsage -UserAccount ‘domain\test’
    .\scripts\Get-ServiceAccountUsage : The term ‘.\scripts\Get-ServiceAccountUsage’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
    try again.
    At line:1 char:1
    + .\scripts\Get-ServiceAccountUsage -UserAccount ‘domain\test’
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (.\scripts\Get-ServiceAccountUsage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    PS C:\Scripts> c:\scripts\Get-ServiceAccountUsage -UserAccount ‘domain\test’
    PS C:\Scripts>

Skip to main content