To remove RC4 from these accounts, you can proceed as follows: Get-ADUser -Filter 'msDS-SupportedEncryptionTypes -band 0x4' -Properties msDS-SupportedEncryptionTypes | Select name, msDS-SupportedEncryptionTypes Accordingly, a query would look like this: Get-ADUser -Filter 'msDS-SupportedEncryptionTypes -band 0x4' -Properties msDS-SupportedEncryptionTypes | In the case of RC4, this is the third bit. This attribute, with the data type unsigned long, also serves as a bitmask, so you have to check the status of each flag to see which algorithms are allowed. While the UserAccountControl attribute is used to enforce the exclusive use of DES, the general encryption configuration is stored in msDS-SupportedEncryptionTypes. If you want to remove this, you can do so as follows: Get-ADUser -Filter 'UserAccountControl -band 0x200000' |įoreach Īctive Directory is inconsistent in storing the preferred algorithms for Kerberos encryption.
The bitwise and of UserAccountControl with 0x200000 shows whether the DES encryption flag is set. If you want to find all users that were configured this way, the following PowerShell command will do the trick: Get-ADUser -Filter 'UserAccountControl -band 0x200000'
DES can be set as the only algorithm using AD Users and Computers
0 kommentar(er)
