• State Verified Answer
  • Replies 6 replies
  • Subscribers 62 subscribers
  • Views 4925 views
  • Users 0 members are here
Options
Related

Setting a computer object encryption type using ARS Management Shell

ScotJay
over 2 years ago

Hey all.

With native AD commandlets, we can set computer encryption type using Set-ADcomputer, for example

Set-ADComputer -Identity fooComputer -KerberosEncryptionType AES256

However, I'm not sure how achieve this with Set-QADComputer, I tried the following, with no joy...

Set-QADComputer -Identity fooComputer -ObjectAttributes @{KerberosEncryptionType='AES256'}

Any ideas on how set this, and other UAC values using the ARS management shell?

Many thanks,

Jay.

  • 0 over 2 years ago

    Is that the correct name for the Kerberos property?  Your Set- seems OK - what happened?  

    As far as UAC goes, there are various virtual attributes that support this but depending on what you need, there are also default switches:

    Set-QADUser -Identity $Myuser -PasswordNeverExpires $true -UserMustChangePassword $true

    What other UAC values are you interested in?

  • 0 over 2 years ago

    Did a quick bit of researchon this and it looks like your Kerberos property is stored as bits in msDS-SupportedEncryptionTypes.

    It's a 32-bit integer syntax so you have to send a number.

    So you would need to do the bitwise math and then set this value.

    Here's a reference

    # Value 256 below is a placeholder only!

    Set-QADComputer -Identity fooComputer -ObjectAttributes @{msDS-SupportedEncryptionTypes.=256}

    This is one of those unexpectedly arcane topics.  Happy Googl'ing

  • +1 over 2 years ago in reply to JohnnyQuest

    In the command line above, the property name needs to be in single quotes because it contains dashes.

    -ObjectAttributes @{'msDS-SupportedEncryptionTypes'=<some integer>}

  • 0 over 2 years ago in reply to JohnnyQuest

       As always, you're a Gent and a scholar! Thanks for the heads up on the msDS-SupportedEncryptionTypes. That was super helpful, and if it is of any benefit to anyone, the integer value for AES256 encryption is '16' Slight smile

    As for UAC. One of thing I've noticed is that when creating a new computer object with New-QADcomputer, it creates a machine account with UAC value 1428 (0x1020 PASSWD_NOTREQD | WORKSTATION_TRUST_ACCOUNT).

    However, when creating a computer with New-ADComputer, it creates a machine account with UAC value 4096 (0x1000 WORKSTATION_TRUST_ACCOUNT). I can't see any options in New-QADComputer and Set-QADComputer to remedy the UAC value. I don't see any Set-ADAccountControl equivalent in the Quest CMDLETS.

    Any suggestions?

  • +1 over 2 years ago in reply to ScotJay

    If you have Active Roles in your environment, then you have access to the UAC-derived virtual property edsaDoNotRequirePassword.

    It can be set to a value of $true or $false and this toggles the underlying bit in UAC.

    i.e. Set-QADComputer -identity $MyComputer -proxy -objectattributes @{edsaDoNotRequirePassword=$false}

  • 0 over 2 years ago in reply to JohnnyQuest

    We do indeed  . That worked a treat! Thanks!