skip to Main Content

KRBTGT account password reset

When was the last time you changed the KRBTGT account password? If you don’t know the answer, it most likely means it’s a bad sign. Did you know that Microsoft recommends resetting the KRBTGT account password at least every 180 days? In this article, we will look at the KRBTGT account and how to reset the password with a PowerShell script.

KRBTGT account

The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory.

KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created.

Note: You must reset the password for the KRBTGT account on a domain at least every 180 days.

Read the official Microsoft article about KRBTGT Account Password Reset Scripts now available for customers.

Check KRBTGT account password last set

Start Active Directory Users and Computers (ADUC). Click in the menu bar on View and enable Advanced Features.

Enable Advanced Features in Active Directory Users and Computers

Find the user object krbtgt and double click on it to open the properties. Click the tab Attribute Editor. Find the attribute pwdLastSet.

Note: The SID for the KRBTGT account is S-1-5-<domain>-502 and lives in the Users OU in the domain by default. Microsoft does not recommend moving this account to another OU.

In our example, the KRBTGT account was reset on 28 December 2020.

KRBTGT account password reset pwdLastSet

Another way to check the KRBTGT account password last set time is to run Get-ADUser cmdlet in PowerShell.

PS C:\> Get-ADUser "krbtgt" -Property Created, PasswordLastSet


Created           : 12/28/2020 11:59:33 PM
DistinguishedName : CN=krbtgt,CN=Users,DC=exoip,DC=local
Enabled           : False
GivenName         :
Name              : krbtgt
ObjectClass       : user
ObjectGUID        : fc7f7914-8bd5-4690-a20f-a31b616f9209
PasswordLastSet   : 12/28/2020 11:59:33 PM
SamAccountName    : krbtgt
SID               : S-1-5-21-977191366-1912192012-2791039455-502
Surname           :
UserPrincipalName :

KRBTGT account password reset change frequency

How often do you need to reset the KRBTGT account password? Reset the password for the KRBTGT account a least every 180 days. The password must be changed twice to remove the password history effectively. Changing once, waiting for replication to complete, and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected.

Important: We do not recommend scheduling the PowerShell script as an automated task as things can go wrong for multiple environmental reasons.

KRBTGT account password reset PowerShell script

Sign in to the Doman Controller or Management Server.

Download the KRBTGT password reset script from GitHub or direct. The official script name is Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1. At the moment of writing, it’s on version 2.8. Make sure to check if the file is unblocked to prevent any errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.

Note: Version 1 was written by Jared Poeppelman (Microsoft). After that, Jorge de Almeida Pintore rewrote the script, added tons of features, and that’s how version 2 was born. We recommend using version 2.

Place the script in the C:\Scripts folder. Create a Scripts folder if you don’t have one.

KRBTGT account password reset scripts folder

Run Windows PowerShell as administrator. Change the path to the scripts folder and run the script.

PS C:\> cd C:\scripts
PS C:\scripts> .\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1

The KRBTGT password reset script will present if you want to read the script’s information, functions, behavior, and impact. Click Yes and go through the information.

KRBTGT account password reset script step 1

When you finish reading through the information, you will see 9 options to select.

The ones that we will use are:

  • 5 – Simulation Mode | Use KrbTgt PROD/REAL Accounts – No Password Reset/WhatIf Mode!
  • 6 – Real Reset Mode | Use KrbTgt PROD/REAL Accounts – Password Will Be Reset Once!
KRBTGT account password reset  script step 2

Note: Option 5 will do nothing to the environment and will only show you all the details of what will happen. Option 6 will reset the KRBTGT password.

Simulation mode

Press option 5.

Fill in the AD forest FQDN that will be targeted or press enter for the current AD forest. We like to target the forest exoip.local, which we are on now. After that, press Enter.

KRBTGT account password reset script step 3

Fill in the AD domain FQDN that will be targeted or press enter for the current domain. We like to target the domain exoip.local, which we are on now. After that, press Enter.

KRBTGT account password reset script step 4

Select which KRBTGT account you want to target. Select 1. Type Continue and press Enter.

KRBTGT account password reset script step 5

If everything is looking good, proceed to the next step.

Real reset mode

Do the same steps as above. But, this time, press option 6.

The output will show that a new password is set for the account KRBTGT.

KRBTGT account password reset script step 6

The KRBTGT account password reset script successfully set a new password for the KRBTGT account.

Verify KRBTGT account password has been set

Start Active Directory Users and Computers (ADUC). Find the user object krbtgt and double click on it to open the properties. Click the tab Attribute Editor. Find the attribute pwdLastSet.

In our example, we can verify that the KRBTGT account was successfully reset on 9 September 2021 (today).

Verify KRBTGT pwdLastSet succeed

What’s next?

Wait for AD replication to complete and do the same step to change the KRBTGT password. If you have a multi-site and want to wait for replication to complete, that’s fine and recommended. Then, wait for the next day and run the script to change the KRBTGT account password.

The password must be changed twice to remove the password history effectively. Changing once, waiting for replication to complete, and changing again reduces the risk of issues.

Check the KRBTGT account pwdLastSet attribute after the second password reset.

That’s it!

Read more: Enable Self-Service Password Reset »

Conclusion

You learned how to reset the KRBTGT account password. Run the reset KRBTGT account password PowerShell script in simulation mode first. After that, run the PowerShell script in real reset mode. Do not forget to wait for AD replication to complete and rerun the script again to remove the password history.

Did you enjoy this article? You may also like Force password sync with Azure AD Connect. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *