RC4-ADAssessment

4.10.0-preview0001

PowerShell toolkit for assessing DES and RC4 Kerberos encryption usage in Active Directory. Discovers RC4/DES dependencies across DC encryption, trusts, KRBTGT, service accounts, KDC registry, KDCSVC events, and Security event logs — with inline remediation commands and assessment comparison for tracking progress toward the July 2026 RC4 removal deadline.

Minimum PowerShell version

5.1

This is a prerelease version of RC4-ADAssessment.
There is a newer prerelease version of this module available.
See the version list below for details.

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name RC4-ADAssessment -RequiredVersion 4.10.0-preview0001 -AllowPrerelease

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name RC4-ADAssessment -Version 4.10.0-preview0001 -Prerelease

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) Jan Tiedemann. All rights reserved.

Package Details

Author(s)

  • Jan Tiedemann

Tags

ActiveDirectory Kerberos RC4 DES AES Encryption Security Assessment Remediation

Functions

Invoke-RC4Assessment Invoke-RC4AssessmentComparison Invoke-RC4ForestAssessment

Dependencies

This module has no dependencies.

Release Notes

## [4.10.0-preview0001] - 2026-04-15

### Fixed

- Remediation commands now note that gMSA/sMSA/dMSA require `Set-ADServiceAccount` instead
 of `Set-ADUser` (which cannot find Managed Service Account objects). Added to all inline
 fix commands in `Invoke-RC4Assessment`, `-IncludeGuidance` output (`Show-ManualValidationGuidance`),
 and exported guidance text (`Get-GuidancePlainText`). Also clarifies that MSA passwords are
 managed by AD — no manual `Set-ADAccountPassword` reset is needed; AES keys are generated
 at the next automatic password rotation. Computer accounts already correctly use `Set-ADComputer`.

### Changed

- "RC4 tickets detected in event logs" downgraded from CRITICAL to WARNING — RC4 tickets may
 originate from intentional `0x1C` exception accounts that will continue functioning after
 July 2026 enforcement
- "Missing AES keys" upgraded from WARNING to CRITICAL — accounts with no AES keys (explicit
 non-AES encryption or very old passwords predating AES key generation) will break after
 enforcement phase

FileList

Version History

Version Downloads Last updated
4.13.0 128 4/17/2026
4.13.0-previ... 4 4/17/2026
4.13.0-previ... 3 4/17/2026
4.12.0 14 4/16/2026
4.12.0-previ... 2 4/16/2026
4.11.0 4 4/16/2026
4.11.0-previ... 2 4/16/2026
4.10.0 21 4/15/2026
4.10.0-previ... (current version) 3 4/15/2026
4.9.0 16 4/15/2026
4.9.0-previe... 3 4/15/2026
4.8.0 7 4/15/2026
4.8.0-previe... 3 4/15/2026
4.8.0-previe... 2 4/14/2026
4.8.0-previe... 2 4/14/2026
4.8.0-previe... 2 4/14/2026
4.7.0 14 4/13/2026
4.7.0-previe... 3 4/13/2026
4.7.0-previe... 3 4/10/2026
4.6.0 15 4/10/2026
4.6.0-previe... 2 4/10/2026
4.5.0 26 4/7/2026
4.5.0-previe... 2 4/7/2026
4.5.0-previe... 2 4/7/2026
4.5.0-previe... 2 4/7/2026
4.5.0-previe... 2 4/7/2026
4.4.0 4 4/7/2026
4.4.0-previe... 2 4/7/2026
4.4.0-previe... 2 4/7/2026
4.4.0-previe... 5 4/7/2026
4.4.0-previe... 5 4/7/2026
4.3.0 24 4/7/2026
4.3.0-previe... 4 4/7/2026
4.3.0-previe... 4 4/7/2026
4.3.0-previe... 4 4/7/2026
4.2.0 15 4/7/2026
4.2.0-previe... 4 4/7/2026
4.2.0-previe... 6 4/7/2026
4.2.0-previe... 5 3/31/2026
4.2.0-previe... 2 3/31/2026
4.1.2 39 3/31/2026
4.1.1 7 3/30/2026
4.1.0-previe... 2 3/30/2026
4.1.0-previe... 2 3/30/2026
4.0.0 14 3/30/2026
4.0.0-previe... 2 3/30/2026
4.0.0-previe... 2 3/30/2026
Show less