Solved

Checking encryption types for a domain user via the command line (is there an AD encryption type attribute?)

Posted on 2013-02-05
3
559 Views
Last Modified: 2013-02-18
Hi guys,
I want to be able to check a whole bunch of domain user accounts to check what encryption types they support, and whether or not they support DES encryption.

I know I can go into the Account properties of each user account, but we are talking 100s of users I wish to check.

Is there an easier way?

I have attached a user account of one option I would like to get.

Any help greatly appreciated.
ee-desEncryptionCommandLine-isit.bmp
0
Comment
Question by:Simon336697
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 420 total points
ID: 38858080
so that is a tricky attribute because it is stored as part of the useraccountcontrol attribute

http://support.microsoft.com/kb/305144?wa=wsignin1.0

As you can see in that article there are values.

So as an example if I have a "normal" account that has the "use kerberos DES encryption types" checked. The value for this account that adds up to 2097664

Normal Account = 512   + Use Kerberos DES 2097152 = 2097664

Next maybe I want to search for all accounts that have that value.  I like using a tool like adfind by MVP Joe Richards   http://www.joeware.net/freetools/tools/adfind/index.htm

adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2097664)"  samaccountname useraccountcontrol

In my lab I've set two users this way and here is the screenshot
1
Next question would be...is there an easier way to calculate useraccountcontrol values?

There is a guy that has made a very useful spreadsheet

[XLS]

identityunderground.be/downloads/useraccountcalculator.xls
(it also comes up in searches for "useraccountcontrol calculator"

I hope this helps.

Thanks

Mike
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 80 total points
ID: 38862026
Use the powershell:
get-aduser -filter {UseDESKeyOnly -eq "True"}
->lists all users with that attribute set.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 38872576
You guys are just brilliant. Thank you.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now