ad - J House Consulting - DevOps, Microsoft, Citrix & Desktop Virtualisation (VDI) Specialist - +61 413 441 846

This PowerShell script will enumerate all user accounts in a Domain, calculate their UserAccountControl flags and create a report of the “interesting” flags in CSV format.

The interesting flags are those you are interested in reporting on as documented in Microsoft KB305144 such as:

SCRIPT
ACCOUNTDISABLE
HOMEDIR_REQUIRED
LOCKOUT
PASSWD_NOTREQD
PASSWD_CANT_CHANGE
ENCRYPTED_TEXT_PWD_ALLOWED
TEMP_DUPLICATE_ACCOUNT
NORMAL_ACCOUNT
INTERDOMAIN_TRUST_ACCOUNT
WORKSTATION_TRUST_ACCOUNT
SERVER_TRUST_ACCOUNT
DONT_EXPIRE_PASSWORD
MNS_LOGON_ACCOUNT
SMARTCARD_REQUIRED
TRUSTED_FOR_DELEGATION
NOT_DELEGATED
USE_DES_KEY_ONLY
DONT_REQ_PREAUTH
PASSWORD_EXPIRED
TRUSTED_TO_AUTH_FOR_DELEGATION
PARTIAL_SECRETS_ACCOUNT
Read more

SCRIPT UPDATED 22nd September 2017

This PowerShell script will enumerate all user accounts in a Domain, calculate their estimated Token Size and create a report of the top x users in CSV format.

However, before I talk about the script it’s important to provide some background information on Kerberos token size; how to calculate it; and how to manage it.

The Kerberos token size grows depending on the following facts:

Amount of direct and indirect (nested) group memberships.
- Distribution groups are not included in the token, but all security groups are included.
- All group scopes are included in the token evaluation.
Whether or not the user has a SID history, and if so, the number of entries.
Authentication method (username/password or multi-factor like Smart Cards).
The user is enabled for Kerberos delegation.
Local user rights assigned to the user.

If it grows beyond the default maximum allowed size…

Script to Create a Report on UserAccountControl flags

Script to create a Kerberos Token Size Report