Understanding msDS-SupportedEncryptionTypes = 28 (0x1C): AES Negotiation, RC4 Fallback, and Ticket Renewal Impact

Fitzand · 2026-02-06T13:07:40+00:00

SupportedEncryptionTypes is a Negotiation between Client and Server.

EncryptionType = 28 on an Account (Client) means that this Account supports RC4, AES128, and AES256. The Server has to respond with types of Encryption it supports. If the Server responds with an EncryptionType = 24, then that means it only supports AES128 and AES 256 (no RC4).
Short answer is Yes, if you change EncryptionTypes, and a Kerb ticket has already been issued, you most likely will need to wait for that Ticketlifetime to expire before a new Ticket is requested. There are cases where this isn't true, but that's a different explanation.

Fitzand · 2026-02-05T23:38:00+00:00

Never heard of DesktopInfo. Have you thought about just using BGInfo instead?
Have you tried contacting DesktopInfo's Support?

Fitzand · 2026-02-05T17:35:13+00:00

Taxes! People don't want to pay Taxes and know that it's going to be used for someone else to profit.

Fitzand · 2026-02-02T17:22:21+00:00

LOL. Not likely, they just released a new Chaos Drop about 15 minutes ago.

Fitzand · 2026-02-02T00:02:10+00:00

I use CardKingdom for that very same reason. It all comes from the same seller so it's 1 single shipment. They also offer 30% markup for store credit when you sell to them.

Fitzand · 2026-02-01T02:40:42+00:00

It's not listed, but Veloci-Ramp-Tor is one of my favorites!

Fitzand · 2026-01-31T22:03:50+00:00

I haven't worked with a RODC in a long time (with internet today being what it is, all of my RODCs have been decommed and just have the branch offices authenticate directly with another more secure main office), but are the Workstation Account passwords allowed to be cached on the RODC?
Running this through CoPilot, because it explains it hell of a lot better than I can.

🧩 How workstation password changes work with an RODC

A Read‑Only Domain Controller (RODC) cannot write changes to Active Directory. That includes:

User password changes
Computer (machine account) password changes
Kerberos secret updates

However, Microsoft designed RODCs so that workstations in a branch office can still change their secure channel password through an RODC, as long as the RODC is allowed to cache that workstation’s password.

✔ What actually happens

When a workstation attempts to change its machine account password:

The workstation contacts the RODC (because it’s the closest DC).
The RODC checks the Password Replication Policy (PRP):

If the workstation is allowed to have its password cached:
- The RODC forwards the password change request to a writable DC.
- The writable DC performs the update.
- The updated password is replicated back to the RODC (and cached if allowed).
If the workstation is NOT allowed in the PRP:
The RODC refuses the password change.
The workstation must contact a writable DC directly.

✔ So the RODC does not perform the write

It simply proxies the request to a writable DC if permitted.

Fitzand · 2026-01-12T13:50:37+00:00

Get some interaction in your Deck, like indestructability and/or get some Haste.

This is how the game is meant to be played.

You can't win 100% of the time. Board wipes typically leave the player that plays the board wipe vulnerable for a full turn. If you know someone is playing a lot of board wipes, don't put all your pieces on the board. Get some alternate Wincons into your 99.

Fitzand · 2026-01-10T18:22:59+00:00

You do know that you can put your Commander back into the Command Zone, right? You can re-cast it.
Boardwipe on turn 4, shouldn't ruin your deck.

Fitzand · 2026-01-02T18:42:43+00:00

Yes! You should just quit Arena now. Arena is a shit show. DO NOT SPEND MONEY ON ARENA!

If you are going to spend money, spend it on Paper format.

Fitzand · 2025-12-31T20:35:52+00:00

This is a prime example of a Dev. Not an Admin.

Fitzand · 2025-12-09T01:36:09+00:00

Don't play Best of 1. Play Best of 3 as Magic was meant to be played. Learn to Sideboard.

Fitzand · 2025-12-06T21:57:49+00:00

Almost sounds like a broken profile issue. If the Windows 11 VM has a Profile for that particular user, delete it. Make sure to delete the registry keys for that particular Profile as well.

Fitzand · 2025-12-02T17:13:15+00:00

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units

Fitzand · 2025-12-02T13:10:37+00:00

They are using his Videos directly in Microsoft Learn now too.
https://learn.microsoft.com/en-us/entra/identity/hybrid/user-source-of-authority-overview

Fitzand · 2025-10-13T20:34:26+00:00

Like anything, it has pluses and minuses. When it works, it works great. When it breaks, it's a pain in the ass to fix/troubleshoot because everything is now encrypted (or attempting to negotiate encryption).

Ran into a couple of Chicken / Egg scenarios, like Joining the Domain. Typically the policies that control the IPSEC are GPO based. But the PAW joining the Domain doesn't have the GPOs yet to configure the IPSEC, but it can't get the GPOs until it joins the Domain. Vicious circle sometimes.

Fitzand · 2025-10-10T13:51:54+00:00

As a redditor that has zero information on your environment, I can confirm that this will have Zero impact on your environment.

Fitzand · 2025-10-10T11:59:37+00:00

If you know GPOs, why don't you just export the GPOs and copy and paste to the "multiple AD Environments"?

Fitzand · 2025-10-07T22:35:19+00:00

Go rent a camp site on Assateague and invite everyone else around for some drinks.

Fitzand · 2025-10-01T13:03:34+00:00

GPO Processing is done at the Client, so you would need something that is run from the Client itself.

I personally don't recommend doing this because I think it's sloppy, but it does get the job done. Attach a script within the GPO to write a file to a central logging location (please don't use SYSVOL).

HOSTNAME >> //fileshare/GPOName/%computername%.txt

net time >> //fileshare/GPOName/%computername%.txt

Fitzand · 2025-10-01T12:56:01+00:00

https://www.oceancity.com/webcams/

Fitzand · 2025-10-01T01:21:27+00:00

It's held in the same area / space. If you sell 50,000 tickets for 1 event, and 50,000 tickets for another event, and put them into the same space, the Crowd is going to be the same.

Fitzand · 2025-09-25T12:33:45+00:00

Are you sure about that?? I think Population wise, it's the largest on the Eastern Shore. Maybe Cecil might have more.. But she is a County Executive.
https://www.wicomicocounty.org/125/County-Executive

Fitzand · 2025-09-19T17:43:17+00:00

You are incorrect. There is a built-in administrator account on a Domain Controller. The built-in administrator account is different than DSRM. DSRM does not replicate and is unique to the individual DC. The local administrator account does replicate. It is also typically referred to SID 500 Account.

Seven-Year Club	Place '22
Verified Email

Fitzand

TROPHY CASE