In response to CVE-2022-37966, the following PowerShell will find all accounts (users, computers, managed service accounts, and group managed service accounts) explicitly configured to use RC4 Kerberos encryption only:

1
2
3
4
5

Get-ADObject -Filter "objectClass -eq 'user'" -Properties msDS-SupportedEncryptionTypes |
    Where-Object -FilterScript {
        (($_."msDS-SupportedEncryptionTypes" -band 0x3f) -ne 0) -and
        (($_."msDS-SupportedEncryptionTypes" -band 0x38) -eq 0)
    }

The above script is also available in my GitHub.