Musings on the splendour of PowerShell One-Liner: Find User Accounts Configured for DES Encryption - PoSh Chap - Site Home - TechNet Blogs

PoSh Chap

Musings on the splendour of PowerShell

One-Liner: Find User Accounts Configured for DES Encryption

One-Liner: Find User Accounts Configured for DES Encryption

  • Comments 1
  • Likes

Once more, with feeling: extended support for Windows Server 2003 ends on July 14, 2015...
 


   Less than a year to go!

 

Hopefully, you've already upgraded your domain controllers to at least Windows Server 2008 R2. If you haven't, there are security enhancements to be aware of. Here's more information:

W2K3 to W2K8 and W2K8R2 Active Directory Upgrade Considerations

 

One of those enhancements is the disabling of DES encryption for Kerberos authentication. If you have user accounts, most likely service accounts, configured to just use DES there'll be authentication 'trouble at mill'!

How do you check for these accounts?

Get-ADUser -Filter {UserAccountControl -band 0x200000}

That was easy!

User Accounts have different options that can be set to control security settings. In Active Directory Users and Computers most of these options can be found in the 'Account' tab of the user object dialogue box, under 'Account options':

 

  

  

In the above window, the user is set to use DES encryption. This setting is stored as part of a binary mask in the 'UserAccountControl' attribute of the user object. In the binary mask, each positional bit represents a different possible user account option that can be switched on or switched off. Like a light switch - when switched on, the option is active. These settings can be queried using PowerShell's 'binary And' (-band) operator. The hexadecimal setting for DES encryption is 0x200000 and we use -band to check that it is present (switched on) in the binary mask.

 

Here are other values you could check for with the aid of a filter and Get-ADUser:

Property Flag

Value in Hexadecimal

Value in Decimal

SCRIPT

0x0001

1

ACCOUNTDISABLE

0x0002

2

HOMEDIR_REQUIRED

0x0008

8

LOCKOUT

0x0010

16

PASSWD_NOTREQD

0x0020

32

PASSWD_CANT_CHANGE

0x0040

64

ENCRYPTED_TEXT_PWD_ALLOWED

0x0080

128

TEMP_DUPLICATE_ACCOUNT

0x0100

256

NORMAL_ACCOUNT

0x0200

512

INTERDOMAIN_TRUST_ACCOUNT

0x0800

2048

WORKSTATION_TRUST_ACCOUNT

0x1000

4096

SERVER_TRUST_ACCOUNT

0x2000

8192

DONT_EXPIRE_PASSWORD

0x10000

65536

MNS_LOGON_ACCOUNT

0x20000

131072

SMARTCARD_REQUIRED

0x40000

262144

TRUSTED_FOR_DELEGATION

0x80000

524288

NOT_DELEGATED

0x100000

1048576

USE_DES_KEY_ONLY

0x200000

2097152

DONT_REQ_PREAUTH

0x400000

4194304

PASSWORD_EXPIRED

0x800000

8388608

TRUSTED_TO_AUTH_FOR_DELEGATION

0x1000000

16777216

PARTIAL_SECRETS_ACCOUNT

0x04000000

67108864

 

You're quite at liberty to combine them. This one tests for users who have the following set: 'Password never expires', 'Store password using reversible encryption' and 'Use Kerberos DES encryption types for this account'.

$COMBINED_VALUE = 0x10000 + 0x0080 + 0x200000

Get-ADUser -Filter {UserAccountControl -band $COMBINED_VALUE}

 

One would hope that this query never returns objects!

TTFN!

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment