[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

"Do not require Kerberos Preauthentication" powershell script

Posted on 2014-12-29
7
Medium Priority
?
946 Views
Last Modified: 2014-12-29
Hi everyone!

We have a legacy app that was recently upgraded.  Unfortunately the upgrade didnt have the ability for kerberos pre-authentication.  I now have to go through 800 users that use the app to enable "Do not require Kerberos pre-authentication".  I have searched high and low and cannot find a powershell command to turn that on to alleviate the kerberos errors until the vendor fixes their app.

Any idea how I can enable that option in the user accounts per OU?

Thank you for your time!!!

-GL
0
Comment
Question by:vrmanrtell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 1000 total points
ID: 40522528
I dont know the ramifications of enabling or disabling this but you could probably do something using the following powershell cmdlets.

http://technet.microsoft.com/en-us/library/ee617249.aspx 

get-aduser {some filter to target the users you want to change} | Set-ADAccountControl  -doesnotrequirepreauth $true

Obviously I would test this with one user, then a small group, then larger, to make sure I was comfortable before going all 800 users.
0
 

Author Comment

by:vrmanrtell
ID: 40522561
The ramifications is the dropping of the security of kerberos and allowing attacks that pre-authentication takes care of.  We have no choice however, as much as I dont want to do it.  The vendor sucks.

Anyway you can help me with the filter?  Im good at taking commands and tweaking them but I have no formal training in Powershell.
0
 
LVL 41

Assisted Solution

by:footech
footech earned 1000 total points
ID: 40522580
Joseph Daly pretty much answered this already.  You can use the -searchbase parameter of Get-ADUser to specify where to retrieve accounts from.
get-aduser-filter * -seachbase "OU=whateverOU,DC=domain,DC=com" | Set-ADAccountControl  -doesnotrequirepreauth $true

Open in new window


I also wanted to point out another option.  Just using ADUC you can select multiple users (for instance, navigating to an OU, click an account, then press Ctrl-A to select all), then right-click and choose Properties to adjust a number of properties for all selected users (the "Do not require Kerberos Preauthentication" setting is one that can be set).
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 35

Expert Comment

by:Joseph Daly
ID: 40522589
That's tough to say without knowing your ad structure. But in the simplest example you should be able to perform the following.

Get-aduser your user name | Set-ADAccountControl  -doesnotrequirepreauth $true

That should set it for your account.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 40522609
For other filters take a look at this page.

http://blogs.msdn.com/b/adpowershell/archive/2009/04/14/active-directory-powershell-advanced-filter-part-ii.aspx

Basically it will depend on wheter there is some kind of common identifying trait your users will have that you want to set. Do they all live in the same OU? Are they all members of a certain group? Etc.

You could always do filter * but that would return all accounts you may not need this set on admin/service/other accounts. That is why I mentioned it is specific to your AD structure.
0
 

Author Comment

by:vrmanrtell
ID: 40522670
WHOA hold da phone!  Ive been using ADUC since it came out and didnt know about the multiple select!  GEEZ!  

Anyway i just showed that trick to my other admins and they didnt know about it either! ha!

Ok, for anyone searching how to do it, the correct command is as follows (there were some spelling errors in your original command Joseph Daly.

get-aduser -filter * -searchbase "OU=ouname,DC=domain,DC=com" | Set-ADAccountControl  -doesnotrequirepreauth $true

THANKS FOR THE HELP GUYS!
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 40522683
Sorry about the misspellings I answer from my iPhone
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
A walk-through example of how to obtain and apply new DID phone numbers to your cloud PBX enabled users that are configured in Office 365. Whether you have 1, 10 or 100+ users in your tenant, it's quite easy to get them phone-enabled and making/rece…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question