[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 583
  • Last Modified:

Checking encryption types for a domain user via the command line (is there an AD encryption type attribute?)

Hi guys,
I want to be able to check a whole bunch of domain user accounts to check what encryption types they support, and whether or not they support DES encryption.

I know I can go into the Account properties of each user account, but we are talking 100s of users I wish to check.

Is there an easier way?

I have attached a user account of one option I would like to get.

Any help greatly appreciated.
ee-desEncryptionCommandLine-isit.bmp
0
Simon336697
Asked:
Simon336697
2 Solutions
 
Mike KlineCommented:
so that is a tricky attribute because it is stored as part of the useraccountcontrol attribute

http://support.microsoft.com/kb/305144?wa=wsignin1.0

As you can see in that article there are values.

So as an example if I have a "normal" account that has the "use kerberos DES encryption types" checked. The value for this account that adds up to 2097664

Normal Account = 512   + Use Kerberos DES 2097152 = 2097664

Next maybe I want to search for all accounts that have that value.  I like using a tool like adfind by MVP Joe Richards   http://www.joeware.net/freetools/tools/adfind/index.htm

adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2097664)"  samaccountname useraccountcontrol

In my lab I've set two users this way and here is the screenshot
1
Next question would be...is there an easier way to calculate useraccountcontrol values?

There is a guy that has made a very useful spreadsheet

[XLS]

identityunderground.be/downloads/useraccountcalculator.xls
(it also comes up in searches for "useraccountcontrol calculator"

I hope this helps.

Thanks

Mike
0
 
McKnifeCommented:
Use the powershell:
get-aduser -filter {UseDESKeyOnly -eq "True"}
->lists all users with that attribute set.
0
 
Simon336697Author Commented:
You guys are just brilliant. Thank you.
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now