Solved

Checking encryption types for a domain user via the command line (is there an AD encryption type attribute?)

Posted on 2013-02-05
3
568 Views
Last Modified: 2013-02-18
Hi guys,
I want to be able to check a whole bunch of domain user accounts to check what encryption types they support, and whether or not they support DES encryption.

I know I can go into the Account properties of each user account, but we are talking 100s of users I wish to check.

Is there an easier way?

I have attached a user account of one option I would like to get.

Any help greatly appreciated.
ee-desEncryptionCommandLine-isit.bmp
0
Comment
Question by:Simon336697
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 420 total points
ID: 38858080
so that is a tricky attribute because it is stored as part of the useraccountcontrol attribute

http://support.microsoft.com/kb/305144?wa=wsignin1.0

As you can see in that article there are values.

So as an example if I have a "normal" account that has the "use kerberos DES encryption types" checked. The value for this account that adds up to 2097664

Normal Account = 512   + Use Kerberos DES 2097152 = 2097664

Next maybe I want to search for all accounts that have that value.  I like using a tool like adfind by MVP Joe Richards   http://www.joeware.net/freetools/tools/adfind/index.htm

adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2097664)"  samaccountname useraccountcontrol

In my lab I've set two users this way and here is the screenshot
1
Next question would be...is there an easier way to calculate useraccountcontrol values?

There is a guy that has made a very useful spreadsheet

[XLS]

identityunderground.be/downloads/useraccountcalculator.xls
(it also comes up in searches for "useraccountcontrol calculator"

I hope this helps.

Thanks

Mike
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 80 total points
ID: 38862026
Use the powershell:
get-aduser -filter {UseDESKeyOnly -eq "True"}
->lists all users with that attribute set.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 38872576
You guys are just brilliant. Thank you.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Let's recap what we learned from yesterday's Skyport Systems webinar.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question