How do I find accounts that use DES encryption in Windows 2003 AD

As part of a Windows 2003 upgrade, one of the checks you need to do is for accounts that have been forced to use DES encryption

Why? Because Windows 2008 and higher has DES disabled by default, so these accounts will not work.

Here is a Powershell script that runs through your AD and finds such accounts.

PowerShell Script to Query UserAccountControl Flags

You use option 18

NOTE – Run from Powershell Command Prompt not the Powershell ISE

If you cannot untick “Use DES encryption types for this account” then you need to do the following:

If you have applications that cannot get rid of DES, you can look at the steps required to enable DES support on the OS. There are two parts to this. First you will need to patch your 2008 domain controllers with KB978055. This gives the DC the ability to issue DES tickets.

If the Account that must use DES is running on windows 7 Client or 2008R2 server themselves, they will need to have some configuration changes. This can be done by a registry fix, or pushed by group policy. Refer to KDC Event ID 16 or 27 is logged if DES for Kerberos is disabled for that.

NOTE: When changing the client settings, be careful that you allow all of the required encryption types. If you use a GPO to turn on DES, and don’t specify anything else, your machine will only use DES.


One thought on “How do I find accounts that use DES encryption in Windows 2003 AD

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.