Identifying AD Accounts without Proper Encryption Type

by Aug 2, 2023

You may have accounts (inc. trust accounts) in AD that have a null value for msds-SupportedEncryptionTypes. They may have been working “by accident” before and may break post-hardening:

Fortunately, PowerShell makes it easy to find potentially affected accounts:

Get-ADObject -Filter "msDS-supportedEncryptionTypes -bor 0x7 -and -not msDS-supportedEncryptionTypes -bor 0x18"