-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathQuickChecks.ps1
131 lines (111 loc) · 7.16 KB
/
QuickChecks.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
<#
.Synopsis
Turns the integer stored in msDS-SupportedEncryptionTypes into a human readable value
.DESCRIPTION
Turns the integer stored in msDS-SupportedEncryptionTypes into a human readable value
For more info on the encryption types: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797
.EXAMPLE
Get-ETypeDefiniton 7
.PARAMETER msDSSupportedEncryptionTypes
Returns an array of results indicating the supported encryption types
.PARAMETER AsString
Returns the result as a comma delimited string
.NOTES
Author: Paul Harrison
#>
function Get-ETypeDefinition {
[CmdletBinding()]
Param
(
[Parameter(Mandatory = $true,
ValueFromPipelineByPropertyName = $true,
Position = 0)]
[int]$msDSSupportedEncryptionTypes,
[switch] $AsString
)
Begin {
$ETypes = [HASHTABLE]@{
0 = 'Not defined - defaults to RC4_HMAC_MD5'
1 = 'DES_CBC_CRC'
2 = 'DES_CBC_MD5'
4 = 'RC4'
8 = 'AES 128'
16 = 'AES 256'
}
}
Process {
$Types = $ETypes.keys | ForEach-Object {
If ([int]($msDSSupportedEncryptionTypes -band [int]$_) -ne 0) {
$ETypes[[int]$_]
}
}
If (0 -eq $msDSSupportedEncryptionTypes) {
$Types = $ETypes[0]
}
If ($AsString) {
$Types -join (',')
}
Else {
$Types
}
}
End {
}
}
#Get all impacted AD objects
Get-ADObject -Filter * -Properties msDS-SupportedEncryptionTypes | `
Select-Object name, objectClass, 'msDS-SupportedEncryptionTypes', @{N = 'EncryptionTypes'; E = { Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes') } }, @{N = 'EncryptionTypesAsString'; E = { Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes') -AsString } } | `
Select-Object name, objectClass, EncryptionTypes, @{N = 'HasRC4OrIsBlank'; E = { $_.EncryptionTypesAsString -like "*RC4*" } } | `
Where-Object { -not $_.HasRC4OrIsBlank }
#Summary of msDS-SupportedEncryptionTypes for all AD objects
Get-ADObject -Filter * -Properties msDS-SupportedEncryptionTypes | Group-Object msDS-SupportedEncryptionTypes | Select-Object count, name
#Summary of msDS-SupportedEncryptionTypes for all computer objects - human readable
Get-ADObject -Filter * -Properties msDS-SupportedEncryptionTypes | `
Group-Object msDS-SupportedEncryptionTypes | `
Select-Object count, name, 'msDS-SupportedEncryptionTypes', @{N = 'EncryptionTypes'; E = { Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.Name) } }, @{N = 'EncryptionTypesAsString'; E = { Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.Name) -AsString } } | `
Select-Object count, name, EncryptionTypes, @{N = 'HasRC4OrIsBlank'; E = { $_.EncryptionTypesAsString -like "*RC4*" } }
##
#Separate categories for investigating each object type are below. It is simply passing a different object type over the same pipeline
##
#Get computer objects
$computers = Get-ADComputer -Filter * -Properties msDS-SupportedEncryptionTypes
#Summary of msDS-SupportedEncryptionTypes for all computer objects
$computers | Group-Object msDS-SupportedEncryptionTypes | Select-Object count, name
#Summary of msDS-SupportedEncryptionTypes for all computer objects - human readable
$computers | `
Group-Object msDS-SupportedEncryptionTypes | `
Select-Object count, name, 'msDS-SupportedEncryptionTypes', @{N = 'EncryptionTypes'; E = { Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.Name) } }, @{N = 'EncryptionTypesAsString'; E = { Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.Name) -AsString } } | `
Select-Object count, name, EncryptionTypes, @{N = 'HasRC4OrIsBlank'; E = { $_.EncryptionTypesAsString -like "*RC4*" } }
#List all computers that will be impacted
$computers | `
Select-Object name, 'msDS-SupportedEncryptionTypes', @{N = 'EncryptionTypes'; E = { Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes') } }, @{N = 'EncryptionTypesAsString'; E = { Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes') -AsString } } | `
Select-Object name, EncryptionTypes, @{N = 'HasRC4OrIsBlank'; E = { $_.EncryptionTypesAsString -like "*RC4*" } } | `
Where-Object { -not $_.HasRC4OrIsBlank }
#Get the gMSAs
$gMSAs = Get-ADServiceAccount -Filter * -Properties msDS-SupportedEncryptionTypes
#Summary of msDS-SupportedEncryptionTypes for all gMSAs
$gMSAs | Group-Object msDS-SupportedEncryptionTypes | Select-Object count, name
#Summary of msDS-SupportedEncryptionTypes for all gMSAs - human readable
$gMSAs | `
Group-Object msDS-SupportedEncryptionTypes | `
Select-Object count, name, 'msDS-SupportedEncryptionTypes', @{N = 'EncryptionTypes'; E = { Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.Name) } }, @{N = 'EncryptionTypesAsString'; E = { Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.Name) -AsString } } | `
Select-Object count, name, EncryptionTypes, @{N = 'HasRC4OrIsBlank'; E = { $_.EncryptionTypesAsString -like "*RC4*" } }
#List all gMSAs that will be impacted
$gMSAs | `
Select-Object name, 'msDS-SupportedEncryptionTypes', @{N = 'EncryptionTypes'; E = { Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes') } }, @{N = 'EncryptionTypesAsString'; E = { Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes') -AsString } } | `
Select-Object name, EncryptionTypes, @{N = 'HasRC4OrIsBlank'; E = { $_.EncryptionTypesAsString -like "*RC4*" } } | `
Where-Object { -not $_.HasRC4OrIsBlank }
#Get the user objects
$users = Get-ADUser -Filter * -Properties msDS-SupportedEncryptionTypes
#Summary of msDS-SupportedEncryptionTypes for all user objects
$users | Group-Object msDS-SupportedEncryptionTypes | Select-Object count, name
#Summary of msDS-SupportedEncryptionTypes for all user objects
$users | `
Group-Object msDS-SupportedEncryptionTypes | `
Select-Object count, name, 'msDS-SupportedEncryptionTypes', @{N = 'EncryptionTypes'; E = { Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.Name) } }, @{N = 'EncryptionTypesAsString'; E = { Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.Name) -AsString } } | `
Select-Object count, name, EncryptionTypes, @{N = 'HasRC4OrIsBlank'; E = { $_.EncryptionTypesAsString -like "*RC4*" } }
#List all users that will be impacted
$users | `
Select-Object name, 'msDS-SupportedEncryptionTypes', @{N = 'EncryptionTypes'; E = { Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes') } }, @{N = 'EncryptionTypesAsString'; E = { Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes') -AsString } } | `
Select-Object name, EncryptionTypes, @{N = 'HasRC4OrIsBlank'; E = { $_.EncryptionTypesAsString -like "*RC4*" } } | `
Where-Object { -not $_.HasRC4OrIsBlank }