See perhaps "Active Directory Hardening Series - Part 4 – Enforcing AES for Kerberos":

> Identifying devices limited to RC4 is a critical step but has historically been a tricky problem to solve. However, a recently discovered "feature" in 4768 events can help you identity such devices. […] As a result, 4768 events can be used to identify devices that only support RC4.

* https://techcommunity.microsoft.com/blog/coreinfrastructurea...

Also:

> While DES has long been considered insecure, CVE-2022-37966 accelerates the departure of RC4 for the encryption of Kerberos tickets. If you have not explicitly assigned an algorithm to accounts, then AES will be used in the future. You can use PowerShell to determine which accounts are vulnerable to weak encryption.

* https://blog.sonnes.cloud/find-active-directory-accounts-con...

There are certainly disadvantages to legacy support being 'too good'.