Solved

"Do not require Kerberos Preauthentication" powershell script

Posted on 2014-12-29
7
724 Views
Last Modified: 2014-12-29
Hi everyone!

We have a legacy app that was recently upgraded.  Unfortunately the upgrade didnt have the ability for kerberos pre-authentication.  I now have to go through 800 users that use the app to enable "Do not require Kerberos pre-authentication".  I have searched high and low and cannot find a powershell command to turn that on to alleviate the kerberos errors until the vendor fixes their app.

Any idea how I can enable that option in the user accounts per OU?

Thank you for your time!!!

-GL
0
Comment
Question by:vrmanrtell
  • 4
  • 2
7 Comments
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 250 total points
ID: 40522528
I dont know the ramifications of enabling or disabling this but you could probably do something using the following powershell cmdlets.

http://technet.microsoft.com/en-us/library/ee617249.aspx 

get-aduser {some filter to target the users you want to change} | Set-ADAccountControl  -doesnotrequirepreauth $true

Obviously I would test this with one user, then a small group, then larger, to make sure I was comfortable before going all 800 users.
0
 

Author Comment

by:vrmanrtell
ID: 40522561
The ramifications is the dropping of the security of kerberos and allowing attacks that pre-authentication takes care of.  We have no choice however, as much as I dont want to do it.  The vendor sucks.

Anyway you can help me with the filter?  Im good at taking commands and tweaking them but I have no formal training in Powershell.
0
 
LVL 40

Assisted Solution

by:footech
footech earned 250 total points
ID: 40522580
Joseph Daly pretty much answered this already.  You can use the -searchbase parameter of Get-ADUser to specify where to retrieve accounts from.
get-aduser-filter * -seachbase "OU=whateverOU,DC=domain,DC=com" | Set-ADAccountControl  -doesnotrequirepreauth $true

Open in new window


I also wanted to point out another option.  Just using ADUC you can select multiple users (for instance, navigating to an OU, click an account, then press Ctrl-A to select all), then right-click and choose Properties to adjust a number of properties for all selected users (the "Do not require Kerberos Preauthentication" setting is one that can be set).
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 35

Expert Comment

by:Joseph Daly
ID: 40522589
That's tough to say without knowing your ad structure. But in the simplest example you should be able to perform the following.

Get-aduser your user name | Set-ADAccountControl  -doesnotrequirepreauth $true

That should set it for your account.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 40522609
For other filters take a look at this page.

http://blogs.msdn.com/b/adpowershell/archive/2009/04/14/active-directory-powershell-advanced-filter-part-ii.aspx

Basically it will depend on wheter there is some kind of common identifying trait your users will have that you want to set. Do they all live in the same OU? Are they all members of a certain group? Etc.

You could always do filter * but that would return all accounts you may not need this set on admin/service/other accounts. That is why I mentioned it is specific to your AD structure.
0
 

Author Comment

by:vrmanrtell
ID: 40522670
WHOA hold da phone!  Ive been using ADUC since it came out and didnt know about the multiple select!  GEEZ!  

Anyway i just showed that trick to my other admins and they didnt know about it either! ha!

Ok, for anyone searching how to do it, the correct command is as follows (there were some spelling errors in your original command Joseph Daly.

get-aduser -filter * -searchbase "OU=ouname,DC=domain,DC=com" | Set-ADAccountControl  -doesnotrequirepreauth $true

THANKS FOR THE HELP GUYS!
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 40522683
Sorry about the misspellings I answer from my iPhone
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question