Share via

Windows AD Users Accounts Make AES 128 \ 256 Default for all New Account

rr-4098 1,561 Reputation points
2024-11-05T19:41:05.11+00:00

We have enabled AES on all user accounts, including krbtgt ( changed password) and set the following Group Policy for AES only: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options: Network security: Configure encryption types allowed for Kerberos

Yet when a new account is created in ADUC, the options for AES are not selected. I'm I doing something wrong here?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,635 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yanhong Liu 12,170 Reputation points Microsoft Vendor
    2024-11-07T02:33:36.6766667+00:00

    Hello,

    It sounds like you're on the right track with enabling AES encryption for your Active Directory (AD) user accounts, but there are a few key points to ensure everything is set up correctly.

    1.Group Policy Application:

    Ensure that the Group Policy Object (GPO) you configured is properly linked to the appropriate Organizational Unit (OU) where user accounts are created.

    Run gpupdate /force on the domain controllers and client machines to ensure the latest group policies are applied.

    2.AD Schema Version:

    Ensure that your Active Directory schema is updated and supports AES encryption types. AES encryption types were introduced with Windows Server 2008, so if you have older domain controllers, this might be an issue.

    3.User Account Properties:

    When a new user account is created in Active Directory Users and Computers (ADUC), it inherits default settings. The AES options must be manually enabled unless you script or automate this process.

    4.Template Accounts:

    If you are using a template account for creating new users, ensure that the template has the AES settings configured. This way, any new accounts created from the template will inherit those settings.

    5.Password Change Requirement:

    It's important to note that existing accounts will need to have their passwords changed for the AES settings to take effect. This is because the Kerberos ticket is generated based on the password hash, and if the password was set before AES was enabled, it will continue to use the old encryption type (like RC4).

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. rr-4098 1,561 Reputation points
    2024-11-07T15:49:16.8366667+00:00

    Thank you for the great feedback. Regarding item #3, even with the proper GP settings enabled, a new user account will not have AES enabled unless it is set manually or via script is this correct? If so what is the point of setting the default domain policy to use AES like I listed previously.

    3.User Account Properties:

    When a new user account is created in Active Directory Users and Computers (ADUC), it inherits default settings. The AES options must be manually enabled unless you script or automate this process.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.