If you need a repeatable way to identify accounts with Kerberos pre-authentication disabled you can do so in the AD Users and Computers UI. (Or PowerShell, or LDP or… ). I personally use this UI a bit because you can configure it and leave it as a neat value add for the customers ADUC console after the job is done.
1. Open AD Users and Computers
2. Navigate to the “Saved Queries” section.
3. Right Click and Choose New Query.
4. Click on Define Query
5. Drop down the list, choose “custom search”.
5. Click on Advanced, then paste in the query string: “(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.1135184.108.40.2063:=4194304))” (No Quotes).
6. Hit OK all the way out, and you have a shiny new item in your ADUA console showing you all the accounts with Pre-Auth disabled.
7. (Optional) Add other things you need on a day to day basis, maybe the accounts that haven’t been used in 90 days, or disabled accounts?
Ok, so that was a slightly boring post and probably old news on the saved queries functionality but i needed to paste the search string for Kerberos Pre-Auth somewhere I could find it quickly and it would have looked even more lonely without some screen shots 🙂