In this episode of Directory Insights in 10 Minutes, Craig Birch breaks down one of the most overlooked Active Directory misconfigurations: the "Do not require Kerberos pre-authentication" setting.🔍 Why it matters:Enables AS-REP Roasting attacks using tools like Hashcat or John the RipperAllows silent user enumeration without authentication failuresCan go undetected by SIEMs and security logs🛠️ What you'll learn:How this setting weakens AD securityHow attackers abuse it for initial access and password crackingHow to detect and remediate affected accounts using PowerShell🧠 Practical, fast, and built for real-world AD admins—no fluff.▶️ Chapters: 00:00 - Intro00:45 - Why “Do Not Require Pre-Auth” Is Dangerous02:30 - AS-REP Roasting Explained03:20 - Finding Vulnerable Accounts (GUI + PowerShell)05:40 - Remediation Script Walkthrough08:20 - Final Recommendations📥 PowerShell Script:# Import the Active Directory moduleImport-Module ActiveDirectory# Find user accounts that do not require Kerberos preauthentication$users = Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth# Display the accounts that do not require Kerberos preauthentication$users | Select-Object Name, SamAccountName, UserPrincipalName# Pause for confirmation before remediationRead-Host -Prompt "Press Enter to remediate these accounts"# Remediate all accounts by setting DoesNotRequirePreAuth to $falseforeach ($user in $users) { Set-ADAccountControl -Identity $user -DoesNotRequirePreAuth $false}