Identifying AD Accounts without Proper Encryption Type

by Aug 2, 2023

You may have accounts (inc. trust accounts) in AD that have a null value for msds-SupportedEncryptionTypes. They may have been working “by accident” before and may break post-hardening: https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d.

Fortunately, PowerShell makes it easy to find potentially affected accounts:

Get-ADObject -Filter "msDS-supportedEncryptionTypes -bor 0x7 -and -not msDS-supportedEncryptionTypes -bor 0x18"