Identifying AD Accounts without Proper Encryption Type

by | August 2,2023

IderaBlog_thumbs

Table of Contents

You may have accounts (inc. trust accounts) in AD that have a null value for msds-SupportedEncryptionTypes. They may have been working “by accident” before and may break post-hardening: https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d.

Using PowerShell to Identify Affected Accounts

Fortunately, PowerShell makes it easy to find potentially affected accounts:

Get-ADObject -Filter "msDS-supportedEncryptionTypes -bor 0x7 -and -not msDS-supportedEncryptionTypes -bor 0x18"

Table of Contents

Free Trial

Explore all the products and find the right solution for your business.

Start your free trial

Latest Content

Perpetual vs Subscription: SQL Server Tools Pricing Explained

Understanding and Managing High Memory Usage in SQL Server

Essentials of Database Indexing for SQL Server

A User-Centric Tuning Philosophy

Macros – Add custom properties to specific objects

See More

Recommended Articles

Top 10 Concerns Keeping SQL Server DBAs Awake at Night

SQL Server Database Administrators (DBAs) have a tough job. They are responsible for ensuring database performance, security, and ....
Read More

Achieving PCI Compliance in Your SQL Server Environment

Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized security standard designed to ensure that businesses handling credit card .....
Read More

SQL Server Monitoring Reimagined: Predictive Analytics and AI Trends for 2025

The world of SQL Server monitoring has undergone a major transformation. In the past, database administrators (DBAs) relied on reactive methods to address ......
Read More