In response to CVE-2022-37966, the following PowerShell will find all accounts (users, computers, managed service accounts, and group managed service accounts) explicitly configured to use RC4 Kerberos encryption only:
Get-ADObject -Filter "objectClass -eq 'user'" -Properties msDS-SupportedEncryptionTypes |
Where-Object -FilterScript {
(($_."msDS-SupportedEncryptionTypes" -band 0x3f) -ne 0) -and
(($_."msDS-SupportedEncryptionTypes" -band 0x38) -eq 0)
}
The above script is also available in my GitHub.
