Setting a computer object encryption type using ARS Management Shell

Did a quick bit of researchon this and it looks like your Kerberos property is stored as bits in msDS-SupportedEncryptionTypes.

It's a 32-bit integer syntax so you have to send a number.

So you would need to do the bitwise math and then set this value.

Here's a reference

# Value 256 below is a placeholder only!

Set-QADComputer -Identity fooComputer -ObjectAttributes @{msDS-SupportedEncryptionTypes.=256}

This is one of those unexpectedly arcane topics.  Happy Googl'ing

 JohnnyQuest  As always, you're a Gent and a scholar! Thanks for the heads up on the msDS-SupportedEncryptionTypes. That was super helpful, and if it is of any benefit to anyone, the integer value for AES256 encryption is '16' 

As for UAC. One of thing I've noticed is that when creating a new computer object with New-QADcomputer, it creates a machine account with UAC value 1428 (0x1020 PASSWD_NOTREQD | WORKSTATION_TRUST_ACCOUNT).

However, when creating a computer with New-ADComputer, it creates a machine account with UAC value 4096 (0x1000 WORKSTATION_TRUST_ACCOUNT). I can't see any options in New-QADComputer and Set-QADComputer to remedy the UAC value. I don't see any Set-ADAccountControl equivalent in the Quest CMDLETS.

Any suggestions?

If you have Active Roles in your environment, then you have access to the UAC-derived virtual property edsaDoNotRequirePassword.

It can be set to a value of $true or $false and this toggles the underlying bit in UAC.

i.e. Set-QADComputer -identity $MyComputer -proxy -objectattributes @{edsaDoNotRequirePassword=$false}

We do indeed JohnnyQuest . That worked a treat! Thanks!

We do indeed JohnnyQuest . That worked a treat! Thanks!