Solved

Checking encryption types for a domain user via the command line (is there an AD encryption type attribute?)

Posted on 2013-02-05
3
558 Views
Last Modified: 2013-02-18
Hi guys,
I want to be able to check a whole bunch of domain user accounts to check what encryption types they support, and whether or not they support DES encryption.

I know I can go into the Account properties of each user account, but we are talking 100s of users I wish to check.

Is there an easier way?

I have attached a user account of one option I would like to get.

Any help greatly appreciated.
ee-desEncryptionCommandLine-isit.bmp
0
Comment
Question by:Simon336697
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 420 total points
ID: 38858080
so that is a tricky attribute because it is stored as part of the useraccountcontrol attribute

http://support.microsoft.com/kb/305144?wa=wsignin1.0

As you can see in that article there are values.

So as an example if I have a "normal" account that has the "use kerberos DES encryption types" checked. The value for this account that adds up to 2097664

Normal Account = 512   + Use Kerberos DES 2097152 = 2097664

Next maybe I want to search for all accounts that have that value.  I like using a tool like adfind by MVP Joe Richards   http://www.joeware.net/freetools/tools/adfind/index.htm

adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2097664)"  samaccountname useraccountcontrol

In my lab I've set two users this way and here is the screenshot
1
Next question would be...is there an easier way to calculate useraccountcontrol values?

There is a guy that has made a very useful spreadsheet

[XLS]

identityunderground.be/downloads/useraccountcalculator.xls
(it also comes up in searches for "useraccountcontrol calculator"

I hope this helps.

Thanks

Mike
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 80 total points
ID: 38862026
Use the powershell:
get-aduser -filter {UseDESKeyOnly -eq "True"}
->lists all users with that attribute set.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 38872576
You guys are just brilliant. Thank you.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
fine grained password polices 3 42
AD lockouts-AdAudit Plus 7 31
exchange, active directory 9 16
exchange, active directory 4 8
As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now