🎙️ In this episode of Directory Insights in 10 Minutes, powered by Guardians of the Directory, Craig Birch walks you through detecting and remediating a legacy misconfiguration that still haunts many AD environments: accounts limited to DES-only Kerberos encryption.

DES is weak, deprecated, and easily cracked — yet it's still lurking in environments where older configurations or forgotten accounts persist.

🔍 What You’ll Learn:• Why DES-only encryption is dangerous in modern AD environments
• How attackers exploit this weakness in Kerberos ticket exchanges
• PowerShell techniques to find accounts with DES enabled
• How to upgrade users to AES encryption using Set-ADUser
• GUI vs. script-based remediation — what’s faster and safer🛠️ PowerShell Spotlight:# Find users with DES-only encryption enabled

Get-ADUser -Filter {UserAccountControl -band 0x200000} -Properties UserAccountControl |

Select-Object Name, SamAccountName

# Remediate: Remove DES-only flag and enable AES

Set-ADUser username -KerberosEncryptionType AES128,AES256

✅ This helps ensure your accounts are no longer relying on crackable encryption standards.

✅ Quick Takeaways:

• DES is deprecated and no longer secure

• Many legacy accounts still silently rely on DES

• Use PowerShell or GUI to detect and remediate fast

• Always test before changing encryption settings on service accounts

• Enforce stronger Kerberos encryption org-wide via GPO

💬 Found this helpful? Like, comment, or share. Got a topic for a future 10-minute breakdown? Drop it below — we’re listening.

📌 Powered by Guardians of the Directory