This script goes out and pulls every Active Directory User object with ServicePrincipalName’s (SPN) defined and gathers important information about that account.
Here are things the script looks for:
- Is the SPN’s computer that is defined currently online.
- Is the User Account set up with Kerberos Constrained vs UnConstrained Delegation.
- What kind of encryption is being used for the accounts password. (msds-supportedencryptiontypes)
- Checks to see if the Account is a member of a Domain Privileged Group.
- Also checks so see if the primary Group Membership has changed.
- The password age.
Our Recommendations:
- No Accounts should be set up with Unconstrained Kerberos Delegation
- None of these accounts should be in a privileged group. Example – Domain Admins or Enterprise Admins
- Passwords should be changes with a a minimum 15, preferred 25 character password.
- Only Valid SPN’s should be defined.
- DES Encryption should not be used.
Here is an example of the output
Here is the source code which can be found on Github: Link
And that is all for now.
-Chad
Recommend Reading: