The original Server Message Block (SMB) version 1 (SMBv1) protocol is nearly 30 years old,…
KRBTGT account password reset
When was the last time you changed the KRBTGT account password? If you don’t know the answer, it most likely means it’s a bad sign. Did you know that Microsoft recommends resetting the KRBTGT account password at least every 180 days? In this article, we will look at the KRBTGT account and how to reset the password with a PowerShell script.
Table of contents
KRBTGT account
The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory.
KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created.
Note: You must reset the password for the KRBTGT account on a domain at least every 180 days.
Read the official Microsoft article about KRBTGT Account Password Reset Scripts now available for customers.
Check KRBTGT account password last set
Start Active Directory Users and Computers (ADUC). Click in the menu bar on View and enable Advanced Features.
Find the user object krbtgt and double-click on it to open the properties. Click the tab Attribute Editor. Find the attribute pwdLastSet.
Note: The SID for the KRBTGT account is S-1-5-<domain>-502 and lives in the Users OU in the domain by default. Microsoft does not recommend moving this account to another OU.
In our example, the KRBTGT account was last set on 24 October 2023.
Another way to check the KRBTGT account password last set time is to run Get-ADUser cmdlet in PowerShell.
Get-ADUser "krbtgt" -Property Created, PasswordLastSet
The below output appears with the details.
Created : 5/1/2023 12:31:55 PM
DistinguishedName : CN=krbtgt,CN=Users,DC=exoip,DC=local
Enabled : False
GivenName :
Name : krbtgt
ObjectClass : user
ObjectGUID : d99a5ba6-f2ea-4a14-9b52-57bd425786a1
PasswordLastSet : 10/24/2023 05:20:19 PM
SamAccountName : krbtgt
SID : S-1-5-21-1083891243-2317051905-4228426097-502
Surname :
UserPrincipalName :
KRBTGT account password reset change frequency
How often do you need to reset the KRBTGT account password? Reset the password for the KRBTGT account a least every 180 days. The password must be changed twice to remove the password history effectively. Changing once, waiting for replication to complete, and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected.
Important: We do not recommend scheduling the PowerShell script as an automated task as things can go wrong for multiple environmental reasons.
KRBTGT account password reset PowerShell script
Sign in to the Doman Controller or Management Server.
Download the KRBTGT password reset script from GitHub or direct. The official script name is Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1. At the moment of writing, it’s on version 3.4.
Ensure the file is unblocked to prevent errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.
Note: Version 1 was written by Jared Poeppelman (Microsoft). After that, Jorge de Almeida Pintore rewrote the script, added tons of features, and that’s how the new version was born. We recommend using version 3.
Place the script in the C:\Scripts folder. Create a Scripts folder if you don’t have one.
Run Windows PowerShell as administrator and run the script.
C:\scripts\.\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1
The KRBTGT password reset script will present if you want to read the script’s information, functions, behavior, and impact. Click Yes and go through the information.
When you finish reading through the information, you will see 9 options to select.
The ones that we will use are:
- 5 – Simulation Mode | Use KrbTgt PROD/REAL Accounts – No Password Reset/WhatIf Mode!
- 6 – Real Reset Mode | Use KrbTgt PROD/REAL Accounts – Password Will Be Reset Once!
Note: Option 5 will do nothing to the environment and will only show you all the details of what will happen. Option 6 will reset the KRBTGT password.
Simulation mode
Press option 5.
Fill in the AD forest FQDN that will be targeted, or press enter for the current AD forest. We like to target the forest exoip.local, which we are on now. After that, press Enter.
Fill in the AD domain FQDN that will be targeted, or press enter for the current domain. We like to target the domain exoip.local, which we are on now. After that, press Enter.
Select which KRBTGT account you want to target. Select 1. Type Continue and press Enter.
If everything looks good, proceed to the next step.
Real reset mode
Do the same steps as above. But, this time, press option 6.
The output will show that a new password is set for the account KRBTGT.
The KRBTGT account password reset script successfully set a new password for the KRBTGT account.
Verify KRBTGT account password has been set
Start Active Directory Users and Computers (ADUC). Find the user object krbtgt and double-click on it to open the properties. Click the tab Attribute Editor. Find the attribute pwdLastSet.
In our example, we can verify that the KRBTGT account was successfully reset on 24 February 2024 (today).
Check Windows Security event logs
After you run Mode 5 – Simulation Mode, the below events appear in the Security event logs:
- Event ID 4662
After you run Mode 6 – Real Reset Mode, the below events appear in the Security event logs:
- ID 4662
- ID 4738
- ID 4724
This is what Event ID 4724 looks like.
An attempt was made to reset an account’s password
This is what Event ID 4738 looks like.
A user account was changed.
Reset KRBTGT account password twice
Wait for AD replication to complete and do the same step to change the KRBTGT password. If you have a multi-site and want to wait for replication to complete, that’s fine and recommended. Then, wait for the next day and run the script to change the KRBTGT account password.
The password must be changed twice to remove the password history effectively. Changing once, waiting for replication to complete, and changing again reduces the risk of issues.
Check the KRBTGT account pwdLastSet attribute after the second password reset.
That’s it!
Read more: Active Directory health check with PowerShell script »
Conclusion
You learned how to reset the KRBTGT account password. Run the reset KRBTGT account password PowerShell script in simulation mode first. After that, run the PowerShell script in real reset mode. Do not forget to wait for AD replication to complete and rerun the script again to remove the password history.
Did you enjoy this article? You may also like Export inactive users from Active Directory report. Don’t forget to follow us and share this article.
Hi,
Is there a risk or something else of changing the Kerberos password ?
I mean, can we reset the password during the day without causing problems for active users? Or we have to change it before leaving, in the evening ?
Regards,
There is no risk.
What is the event generated after changing the KRBTGT account password? I would like to monitor this event!
You can monitor the events in Windows Logs > Security:
– First event: 4724 (An attempt was made to reset an account’s password)
– Second event: 4738 (A user account was changed)
Great script but I’d suggest changing the Text colour to RED if an error is found in checking phase – I didn’t noticed I had a DC offline until AFTER running the script in mode 6, didn’t spot in when running mode 5.
You know you can just follow this and do it in about 5 seconds, no scripts.
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password
You are already in there to check last date why not reset it there too?
The script has a “WhatIf mode” and more options.
I just came here for the same reason. I saw a guide with the “right-click change password” And I could understand the complexity of the ps1 script
On my DC that script prints a lot of errors on not closed quotes, etc
I will just go with the right click change password thing
Hi
Nice article
Is it worth to execute the other mode for test and precheck as it suggests when you run the script:
It is highly recommended to use the following order of execution: !!!
Mode 1 – Informational Mode (No Changes At All)
Mode 8 – Create TEST KrbTgt Accounts
Mode 2 – Simulation Mode (Temporary Canary Object Created, No Password Reset!)
Mode 3 – Simulation Mode – Use KrbTgt TEST/BOGUS Accounts (No Password Reset, Check Only!)
Mode 4 – Real Reset Mode – Use KrbTgt TEST/BOGUS Accounts (Password Will Be Reset Once!)
Mode 5 – Simulation Mode – Use KrbTgt PROD/REAL Accounts (No Password Reset, Check Only!)
Mode 6 – Real Reset Mode – Use KrbTgt PROD/REAL Accounts (Password Will Be Reset Once!)
Mode 9 – Cleanup TEST KrbTgt Accounts (Could be skipped to reuse accounts the next time!)
There is no harm in doing that order. But, I always use only Mode 5 and Mode 6, as shown in the article.
Hi Ali, nice work!
The only thing is do we need to know what password does the script set to?
Cheers, Mark
Hi Mark,
No, you don’t need to know the KRBTGT password that the script sets.
Nice article Ali. Please keep sharing