Active Directory checks you should run on a regular basis

The following powershell cmdlets will help you identify user accounts in your Active Directory environment that have settings configured that are a joy for hackers.

My advise is to schedule the cmdlets or put them in a script to automate the process.

  • Check for accounts that don’t have password expiry set
    Get-ADUser -Filter ‘useraccountcontrol -band 65536’ -Properties useraccountcontrol
  • Check for accounts that have no password requirement
    Get-ADUser -Filter ‘useraccountcontrol -band 32’ -Properties useraccountcontrol
  • Accounts that have the password stored in a reversibly encrypted format
    Get-ADUser -Filter ‘useraccountcontrol -band 128’ -Properties useraccountcontrol
  • List users that are trusted for Kerberos delegation
    Get-ADUser -Filter ‘useraccountcontrol -band 524288’ -Properties useraccountcontrol
  • List accounts that don’t require pre-authentication
    Get-ADUser -Filter ‘useraccountcontrol -band 4194304’ -Properties useraccountcontrol
  • List accounts that have credentials encrypted with DES
    Get-ADUser -Filter ‘useraccountcontrol -band 2097152’ -Properties useraccountcontrol

Use the export-csv cmdlet piped to create a usable list. For example  | export-csv your_list.csv

UserAccountControl flags are documented here!