Categories

Discovering Users that do not require Kerberos pre-authentication

As this setting is controlled by the useraccountcontrol attribute we need the usual LDAP search

$ou = "OU=England,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
Get-ADUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" |             
Format-Table Name, DistinguishedName            
            
            
"`nAD provider"            
Get-ChildItem -Filter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" `
 -Path Ad:\"DC=Manticore,DC=org" -Recurse |            
Format-Table Name, DistinguishedName            
            
            
            
"`nQuest"            
Get-QADUser -LdapFilter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))" |            
Format-Table Name, DN            
            
"`nScript"            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))"            
$search.SizeLimit = 3000            
$results = $search.FindAll()            
            
foreach ($result in $results){            
    $result.Properties |             
    select @{N="Name"; E={$_.name}}, @{N="DistinguishedName"; E={$_.distinguishedname}}            
}

Leave a Reply