?
Solved

"Do not require Kerberos Preauthentication" powershell script

Posted on 2014-12-29
7
Medium Priority
?
875 Views
Last Modified: 2014-12-29
Hi everyone!

We have a legacy app that was recently upgraded.  Unfortunately the upgrade didnt have the ability for kerberos pre-authentication.  I now have to go through 800 users that use the app to enable "Do not require Kerberos pre-authentication".  I have searched high and low and cannot find a powershell command to turn that on to alleviate the kerberos errors until the vendor fixes their app.

Any idea how I can enable that option in the user accounts per OU?

Thank you for your time!!!

-GL
0
Comment
Question by:vrmanrtell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 1000 total points
ID: 40522528
I dont know the ramifications of enabling or disabling this but you could probably do something using the following powershell cmdlets.

http://technet.microsoft.com/en-us/library/ee617249.aspx 

get-aduser {some filter to target the users you want to change} | Set-ADAccountControl  -doesnotrequirepreauth $true

Obviously I would test this with one user, then a small group, then larger, to make sure I was comfortable before going all 800 users.
0
 

Author Comment

by:vrmanrtell
ID: 40522561
The ramifications is the dropping of the security of kerberos and allowing attacks that pre-authentication takes care of.  We have no choice however, as much as I dont want to do it.  The vendor sucks.

Anyway you can help me with the filter?  Im good at taking commands and tweaking them but I have no formal training in Powershell.
0
 
LVL 40

Assisted Solution

by:footech
footech earned 1000 total points
ID: 40522580
Joseph Daly pretty much answered this already.  You can use the -searchbase parameter of Get-ADUser to specify where to retrieve accounts from.
get-aduser-filter * -seachbase "OU=whateverOU,DC=domain,DC=com" | Set-ADAccountControl  -doesnotrequirepreauth $true

Open in new window


I also wanted to point out another option.  Just using ADUC you can select multiple users (for instance, navigating to an OU, click an account, then press Ctrl-A to select all), then right-click and choose Properties to adjust a number of properties for all selected users (the "Do not require Kerberos Preauthentication" setting is one that can be set).
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 35

Expert Comment

by:Joseph Daly
ID: 40522589
That's tough to say without knowing your ad structure. But in the simplest example you should be able to perform the following.

Get-aduser your user name | Set-ADAccountControl  -doesnotrequirepreauth $true

That should set it for your account.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 40522609
For other filters take a look at this page.

http://blogs.msdn.com/b/adpowershell/archive/2009/04/14/active-directory-powershell-advanced-filter-part-ii.aspx

Basically it will depend on wheter there is some kind of common identifying trait your users will have that you want to set. Do they all live in the same OU? Are they all members of a certain group? Etc.

You could always do filter * but that would return all accounts you may not need this set on admin/service/other accounts. That is why I mentioned it is specific to your AD structure.
0
 

Author Comment

by:vrmanrtell
ID: 40522670
WHOA hold da phone!  Ive been using ADUC since it came out and didnt know about the multiple select!  GEEZ!  

Anyway i just showed that trick to my other admins and they didnt know about it either! ha!

Ok, for anyone searching how to do it, the correct command is as follows (there were some spelling errors in your original command Joseph Daly.

get-aduser -filter * -searchbase "OU=ouname,DC=domain,DC=com" | Set-ADAccountControl  -doesnotrequirepreauth $true

THANKS FOR THE HELP GUYS!
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 40522683
Sorry about the misspellings I answer from my iPhone
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month14 days, 12 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question