Wednesday, April 25, 2018

Active Directory PowerShell Script to Report on Users with SPNs

 

This script goes out and pulls every Active Directory User object with ServicePrincipalName’s (SPN) defined and gathers important information about that account.

Here are things the script looks for:

  • Is the SPN’s computer that is defined currently online.
  • Is the User Account set up with Kerberos Constrained vs UnConstrained Delegation.
  • What kind of encryption is being used for the accounts password. (msds-supportedencryptiontypes)
  • Checks to see if the Account is a member of a Domain Privileged Group.
    • Also checks so see if the primary Group Membership has changed.
  • The password age.

Our Recommendations:

  • No Accounts should be set up with Unconstrained Kerberos Delegation
  • None of these accounts should be in a privileged group.  Example – Domain Admins or Enterprise Admins
  • Passwords should be changes with a a minimum 15, preferred 25 character password.
  • Only Valid SPN’s should be defined.
  • DES Encryption should not be used.

 

Here is an example of the output

image

Here is the source code which can be found on Github: Link

 

 

And that is all for now.

-Chad



from TechNet Blogs https://ift.tt/2Fh6i71

No comments:

Post a Comment