Solved

"Do not require Kerberos Preauthentication" powershell script

Posted on 2014-12-29
7
657 Views
Last Modified: 2014-12-29
Hi everyone!

We have a legacy app that was recently upgraded.  Unfortunately the upgrade didnt have the ability for kerberos pre-authentication.  I now have to go through 800 users that use the app to enable "Do not require Kerberos pre-authentication".  I have searched high and low and cannot find a powershell command to turn that on to alleviate the kerberos errors until the vendor fixes their app.

Any idea how I can enable that option in the user accounts per OU?

Thank you for your time!!!

-GL
0
Comment
Question by:vrmanrtell
  • 4
  • 2
7 Comments
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 250 total points
ID: 40522528
I dont know the ramifications of enabling or disabling this but you could probably do something using the following powershell cmdlets.

http://technet.microsoft.com/en-us/library/ee617249.aspx 

get-aduser {some filter to target the users you want to change} | Set-ADAccountControl  -doesnotrequirepreauth $true

Obviously I would test this with one user, then a small group, then larger, to make sure I was comfortable before going all 800 users.
0
 

Author Comment

by:vrmanrtell
ID: 40522561
The ramifications is the dropping of the security of kerberos and allowing attacks that pre-authentication takes care of.  We have no choice however, as much as I dont want to do it.  The vendor sucks.

Anyway you can help me with the filter?  Im good at taking commands and tweaking them but I have no formal training in Powershell.
0
 
LVL 39

Assisted Solution

by:footech
footech earned 250 total points
ID: 40522580
Joseph Daly pretty much answered this already.  You can use the -searchbase parameter of Get-ADUser to specify where to retrieve accounts from.
get-aduser-filter * -seachbase "OU=whateverOU,DC=domain,DC=com" | Set-ADAccountControl  -doesnotrequirepreauth $true

Open in new window


I also wanted to point out another option.  Just using ADUC you can select multiple users (for instance, navigating to an OU, click an account, then press Ctrl-A to select all), then right-click and choose Properties to adjust a number of properties for all selected users (the "Do not require Kerberos Preauthentication" setting is one that can be set).
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 35

Expert Comment

by:Joseph Daly
ID: 40522589
That's tough to say without knowing your ad structure. But in the simplest example you should be able to perform the following.

Get-aduser your user name | Set-ADAccountControl  -doesnotrequirepreauth $true

That should set it for your account.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 40522609
For other filters take a look at this page.

http://blogs.msdn.com/b/adpowershell/archive/2009/04/14/active-directory-powershell-advanced-filter-part-ii.aspx

Basically it will depend on wheter there is some kind of common identifying trait your users will have that you want to set. Do they all live in the same OU? Are they all members of a certain group? Etc.

You could always do filter * but that would return all accounts you may not need this set on admin/service/other accounts. That is why I mentioned it is specific to your AD structure.
0
 

Author Comment

by:vrmanrtell
ID: 40522670
WHOA hold da phone!  Ive been using ADUC since it came out and didnt know about the multiple select!  GEEZ!  

Anyway i just showed that trick to my other admins and they didnt know about it either! ha!

Ok, for anyone searching how to do it, the correct command is as follows (there were some spelling errors in your original command Joseph Daly.

get-aduser -filter * -searchbase "OU=ouname,DC=domain,DC=com" | Set-ADAccountControl  -doesnotrequirepreauth $true

THANKS FOR THE HELP GUYS!
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 40522683
Sorry about the misspellings I answer from my iPhone
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now