Solved

Checking encryption types for a domain user via the command line (is there an AD encryption type attribute?)

Posted on 2013-02-05
3
564 Views
Last Modified: 2013-02-18
Hi guys,
I want to be able to check a whole bunch of domain user accounts to check what encryption types they support, and whether or not they support DES encryption.

I know I can go into the Account properties of each user account, but we are talking 100s of users I wish to check.

Is there an easier way?

I have attached a user account of one option I would like to get.

Any help greatly appreciated.
ee-desEncryptionCommandLine-isit.bmp
0
Comment
Question by:Simon336697
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 420 total points
ID: 38858080
so that is a tricky attribute because it is stored as part of the useraccountcontrol attribute

http://support.microsoft.com/kb/305144?wa=wsignin1.0

As you can see in that article there are values.

So as an example if I have a "normal" account that has the "use kerberos DES encryption types" checked. The value for this account that adds up to 2097664

Normal Account = 512   + Use Kerberos DES 2097152 = 2097664

Next maybe I want to search for all accounts that have that value.  I like using a tool like adfind by MVP Joe Richards   http://www.joeware.net/freetools/tools/adfind/index.htm

adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2097664)"  samaccountname useraccountcontrol

In my lab I've set two users this way and here is the screenshot
1
Next question would be...is there an easier way to calculate useraccountcontrol values?

There is a guy that has made a very useful spreadsheet

[XLS]

identityunderground.be/downloads/useraccountcalculator.xls
(it also comes up in searches for "useraccountcontrol calculator"

I hope this helps.

Thanks

Mike
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 80 total points
ID: 38862026
Use the powershell:
get-aduser -filter {UseDESKeyOnly -eq "True"}
->lists all users with that attribute set.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 38872576
You guys are just brilliant. Thank you.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question