Why do we need to use the import CSV (comma-separated values) delimiter in PowerShell? By…
KRBTGT account password reset
When was the last time you changed the KRBTGT account password? If you don’t know the answer, it most likely means it’s a bad sign. Did you know that Microsoft recommends resetting the KRBTGT account password at least every 180 days? In this article, we will look at the KRBTGT account and how to reset the password with a PowerShell script.
Table of contents
KRBTGT account
The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory.
KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created.
Note: You must reset the password for the KRBTGT account on a domain at least every 180 days.
Read the official Microsoft article about KRBTGT Account Password Reset Scripts now available for customers.
Check KRBTGT account password last set
Start Active Directory Users and Computers (ADUC). Click in the menu bar on View and enable Advanced Features.
Find the user object krbtgt and double click on it to open the properties. Click the tab Attribute Editor. Find the attribute pwdLastSet.
Note: The SID for the KRBTGT account is S-1-5-<domain>-502 and lives in the Users OU in the domain by default. Microsoft does not recommend moving this account to another OU.
In our example, the KRBTGT account was reset on 28 December 2020.
Another way to check the KRBTGT account password last set time is to run Get-ADUser cmdlet in PowerShell.
PS C:\> Get-ADUser "krbtgt" -Property Created, PasswordLastSet
Created : 12/28/2020 11:59:33 PM
DistinguishedName : CN=krbtgt,CN=Users,DC=exoip,DC=local
Enabled : False
GivenName :
Name : krbtgt
ObjectClass : user
ObjectGUID : fc7f7914-8bd5-4690-a20f-a31b616f9209
PasswordLastSet : 12/28/2020 11:59:33 PM
SamAccountName : krbtgt
SID : S-1-5-21-977191366-1912192012-2791039455-502
Surname :
UserPrincipalName :KRBTGT account password reset change frequency
How often do you need to reset the KRBTGT account password? Reset the password for the KRBTGT account a least every 180 days. The password must be changed twice to remove the password history effectively. Changing once, waiting for replication to complete, and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected.
Important: We do not recommend scheduling the PowerShell script as an automated task as things can go wrong for multiple environmental reasons.
KRBTGT account password reset PowerShell script
Sign in to the Doman Controller or Management Server.
Download the KRBTGT password reset script from GitHub or direct. The official script name is Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1. At the moment of writing, it’s on version 2.8. Make sure to check if the file is unblocked to prevent any errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.
Note: Version 1 was written by Jared Poeppelman (Microsoft). After that, Jorge de Almeida Pintore rewrote the script, added tons of features, and that’s how version 2 was born. We recommend using version 2.
Place the script in the C:\Scripts folder. Create a Scripts folder if you don’t have one.
Run Windows PowerShell as administrator. Change the path to the scripts folder and run the script.
PS C:\> cd C:\scripts
PS C:\scripts> .\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1The KRBTGT password reset script will present if you want to read the script’s information, functions, behavior, and impact. Click Yes and go through the information.
When you finish reading through the information, you will see 9 options to select.
The ones that we will use are:
- 5 – Simulation Mode | Use KrbTgt PROD/REAL Accounts – No Password Reset/WhatIf Mode!
- 6 – Real Reset Mode | Use KrbTgt PROD/REAL Accounts – Password Will Be Reset Once!
Note: Option 5 will do nothing to the environment and will only show you all the details of what will happen. Option 6 will reset the KRBTGT password.
Simulation mode
Press option 5.
Fill in the AD forest FQDN that will be targeted or press enter for the current AD forest. We like to target the forest exoip.local, which we are on now. After that, press Enter.
Fill in the AD domain FQDN that will be targeted or press enter for the current domain. We like to target the domain exoip.local, which we are on now. After that, press Enter.
Select which KRBTGT account you want to target. Select 1. Type Continue and press Enter.
If everything is looking good, proceed to the next step.
Real reset mode
Do the same steps as above. But, this time, press option 6.
The output will show that a new password is set for the account KRBTGT.
The KRBTGT account password reset script successfully set a new password for the KRBTGT account.
Verify KRBTGT account password has been set
Start Active Directory Users and Computers (ADUC). Find the user object krbtgt and double click on it to open the properties. Click the tab Attribute Editor. Find the attribute pwdLastSet.
In our example, we can verify that the KRBTGT account was successfully reset on 9 September 2021 (today).
Reset KRBTGT account password twice
Wait for AD replication to complete and do the same step to change the KRBTGT password. If you have a multi-site and want to wait for replication to complete, that’s fine and recommended. Then, wait for the next day and run the script to change the KRBTGT account password.
The password must be changed twice to remove the password history effectively. Changing once, waiting for replication to complete, and changing again reduces the risk of issues.
Check the KRBTGT account pwdLastSet attribute after the second password reset.
That’s it!
Read more: Enable Self-Service Password Reset »
Conclusion
You learned how to reset the KRBTGT account password. Run the reset KRBTGT account password PowerShell script in simulation mode first. After that, run the PowerShell script in real reset mode. Do not forget to wait for AD replication to complete and rerun the script again to remove the password history.
Did you enjoy this article? You may also like Force password sync with Azure AD Connect. Don’t forget to follow us and share this article.
What Others Are Reading
Great script but I’d suggest changing the Text colour to RED if an error is found in checking phase – I didn’t noticed I had a DC offline until AFTER running the script in mode 6, didn’t spot in when running mode 5.
You know you can just follow this and do it in about 5 seconds, no scripts.
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password
You are already in there to check last date why not reset it there too?
The script has a “WhatIf mode” and more options.
I just came here for the same reason. I saw a guide with the “right-click change password” And I could understand the complexity of the ps1 script
On my DC that script prints a lot of errors on not closed quotes, etc
I will just go with the right click change password thing
Hi
Nice article
Is it worth to execute the other mode for test and precheck as it suggests when you rung the script (v2.8)
It is highly recommended to use the following order of execution: <<<
Mode 1 – Informational Mode (No Changes At All)
Mode 8 – Create TEST KrbTgt Accounts
Mode 2 – Simulation Mode (Temporary Canary Object Created, No Password Reset!)
Mode 3 – Simulation Mode – Use KrbTgt TEST/BOGUS Accounts (No Password Reset, Check Only!)
Mode 4 – Real Reset Mode – Use KrbTgt TEST/BOGUS Accounts (Password Will Be Reset Once!)
Mode 5 – Simulation Mode – Use KrbTgt PROD/REAL Accounts (No Password Reset, Check Only!)
Mode 6 – Real Reset Mode – Use KrbTgt PROD/REAL Accounts (Password Will Be Reset Once!)
Mode 9 – Cleanup TEST KrbTgt Accounts (Could be skipped to reuse accounts the next time!)
There is no harm in doing that order. But, I always use only Mode 5 and Mode 6, as shown in the article.
Hi Ali, nice work!
The only thing is do we need to know what password does the script set to?
Cheers, Mark
Hi Mark,
No, you don’t need to know the KRBTGT password that the script sets.
Nice article Ali. Please keep sharing