Solved

"Do not require Kerberos Preauthentication" powershell script

Posted on 2014-12-29
7
631 Views
Last Modified: 2014-12-29
Hi everyone!

We have a legacy app that was recently upgraded.  Unfortunately the upgrade didnt have the ability for kerberos pre-authentication.  I now have to go through 800 users that use the app to enable "Do not require Kerberos pre-authentication".  I have searched high and low and cannot find a powershell command to turn that on to alleviate the kerberos errors until the vendor fixes their app.

Any idea how I can enable that option in the user accounts per OU?

Thank you for your time!!!

-GL
0
Comment
Question by:vrmanrtell
  • 4
  • 2
7 Comments
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 250 total points
ID: 40522528
I dont know the ramifications of enabling or disabling this but you could probably do something using the following powershell cmdlets.

http://technet.microsoft.com/en-us/library/ee617249.aspx

get-aduser {some filter to target the users you want to change} | Set-ADAccountControl  -doesnotrequirepreauth $true

Obviously I would test this with one user, then a small group, then larger, to make sure I was comfortable before going all 800 users.
0
 

Author Comment

by:vrmanrtell
ID: 40522561
The ramifications is the dropping of the security of kerberos and allowing attacks that pre-authentication takes care of.  We have no choice however, as much as I dont want to do it.  The vendor sucks.

Anyway you can help me with the filter?  Im good at taking commands and tweaking them but I have no formal training in Powershell.
0
 
LVL 39

Assisted Solution

by:footech
footech earned 250 total points
ID: 40522580
Joseph Daly pretty much answered this already.  You can use the -searchbase parameter of Get-ADUser to specify where to retrieve accounts from.
get-aduser-filter * -seachbase "OU=whateverOU,DC=domain,DC=com" | Set-ADAccountControl  -doesnotrequirepreauth $true

Open in new window


I also wanted to point out another option.  Just using ADUC you can select multiple users (for instance, navigating to an OU, click an account, then press Ctrl-A to select all), then right-click and choose Properties to adjust a number of properties for all selected users (the "Do not require Kerberos Preauthentication" setting is one that can be set).
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 35

Expert Comment

by:Joseph Daly
ID: 40522589
That's tough to say without knowing your ad structure. But in the simplest example you should be able to perform the following.

Get-aduser your user name | Set-ADAccountControl  -doesnotrequirepreauth $true

That should set it for your account.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 40522609
For other filters take a look at this page.

http://blogs.msdn.com/b/adpowershell/archive/2009/04/14/active-directory-powershell-advanced-filter-part-ii.aspx

Basically it will depend on wheter there is some kind of common identifying trait your users will have that you want to set. Do they all live in the same OU? Are they all members of a certain group? Etc.

You could always do filter * but that would return all accounts you may not need this set on admin/service/other accounts. That is why I mentioned it is specific to your AD structure.
0
 

Author Comment

by:vrmanrtell
ID: 40522670
WHOA hold da phone!  Ive been using ADUC since it came out and didnt know about the multiple select!  GEEZ!  

Anyway i just showed that trick to my other admins and they didnt know about it either! ha!

Ok, for anyone searching how to do it, the correct command is as follows (there were some spelling errors in your original command Joseph Daly.

get-aduser -filter * -searchbase "OU=ouname,DC=domain,DC=com" | Set-ADAccountControl  -doesnotrequirepreauth $true

THANKS FOR THE HELP GUYS!
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 40522683
Sorry about the misspellings I answer from my iPhone
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This script checks a path to see if a folder exists. If the folder does exist you will get output "The folder has previously been created. No action taken" If not it will create the folder. Then adds one user modify permission to the folder. It …
I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now