Discovering Users that do not require Kerberos pre-authentication

As this setting is controlled by the useraccountcontrol attribute we need the usual LDAP search

$ou = "OU=England,DC=Manticore,DC=org"            
Get-ADUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" |             
Format-Table Name, DistinguishedName            
"`nAD provider"            
Get-ChildItem -Filter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" `
 -Path Ad:\"DC=Manticore,DC=org" -Recurse |            
Format-Table Name, DistinguishedName            
Get-QADUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" |            
Format-Table Name, DN            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))"            
$search.SizeLimit = 3000            
$results = $search.FindAll()            
foreach ($result in $results){            
    $result.Properties |             
    select @{N="Name"; E={$}}, @{N="DistinguishedName"; E={$_.distinguishedname}}            

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>