Skip to content

KRBTGT account password reset

When was the last time you changed the KRBTGT account password? If you don’t know the answer, it most likely means it’s a bad sign. Did you know that Microsoft recommends resetting the KRBTGT account password at least every 180 days? In this article, we will look at the KRBTGT account and how to reset the password with a PowerShell script.

KRBTGT account

The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory.

KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created.

Note: You must reset the password for the KRBTGT account on a domain at least every 180 days.

Read the official Microsoft article about KRBTGT Account Password Reset Scripts now available for customers.

Check KRBTGT account password last set

Start Active Directory Users and Computers (ADUC). Click in the menu bar on View and enable Advanced Features.

Enable Advanced Features in Active Directory Users and Computers

Find the user object krbtgt and double-click on it to open the properties. Click the tab Attribute Editor. Find the attribute pwdLastSet.

Note: The SID for the KRBTGT account is S-1-5-<domain>-502 and lives in the Users OU in the domain by default. Microsoft does not recommend moving this account to another OU.

In our example, the KRBTGT account was last set on 24 October 2023.

KRBTGT account password reset pwdLastSet

Another way to check the KRBTGT account password last set time is to run Get-ADUser cmdlet in PowerShell.

Get-ADUser "krbtgt" -Property Created, PasswordLastSet

The below output appears with the details.

Created           : 5/1/2023 12:31:55 PM
DistinguishedName : CN=krbtgt,CN=Users,DC=exoip,DC=local
Enabled           : False
GivenName         :
Name              : krbtgt
ObjectClass       : user
ObjectGUID        : d99a5ba6-f2ea-4a14-9b52-57bd425786a1
PasswordLastSet   : 10/24/2023 05:20:19 PM
SamAccountName    : krbtgt
SID               : S-1-5-21-1083891243-2317051905-4228426097-502
Surname           :
UserPrincipalName :

KRBTGT account password reset change frequency

How often do you need to reset the KRBTGT account password? Reset the password for the KRBTGT account a least every 180 days. The password must be changed twice to remove the password history effectively. Changing once, waiting for replication to complete, and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected.

Important: We do not recommend scheduling the PowerShell script as an automated task as things can go wrong for multiple environmental reasons.

KRBTGT account password reset PowerShell script

Sign in to the Doman Controller or Management Server.

Download the KRBTGT password reset script from GitHub or direct. The official script name is Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1. At the moment of writing, it’s on version 3.4.

Ensure the file is unblocked to prevent errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.

Note: Version 1 was written by Jared Poeppelman (Microsoft). After that, Jorge de Almeida Pintore rewrote the script, added tons of features, and that’s how the new version was born. We recommend using version 3.

Place the script in the C:\Scripts folder. Create a Scripts folder if you don’t have one.

KRBTGT account password reset scripts folder

Run Windows PowerShell as administrator and run the script.

C:\scripts\.\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1

The KRBTGT password reset script will present if you want to read the script’s information, functions, behavior, and impact. Click Yes and go through the information.

KRBTGT account password reset script step 1

When you finish reading through the information, you will see 9 options to select.

The ones that we will use are:

  • 5 – Simulation Mode | Use KrbTgt PROD/REAL Accounts – No Password Reset/WhatIf Mode!
  • 6 – Real Reset Mode | Use KrbTgt PROD/REAL Accounts – Password Will Be Reset Once!
KRBTGT account password reset  script step 2

Note: Option 5 will do nothing to the environment and will only show you all the details of what will happen. Option 6 will reset the KRBTGT password.

Simulation mode

Press option 5.

Fill in the AD forest FQDN that will be targeted, or press enter for the current AD forest. We like to target the forest exoip.local, which we are on now. After that, press Enter.

KRBTGT account password reset script step 3

Fill in the AD domain FQDN that will be targeted, or press enter for the current domain. We like to target the domain exoip.local, which we are on now. After that, press Enter.

KRBTGT account password reset script step 4

Select which KRBTGT account you want to target. Select 1. Type Continue and press Enter.

KRBTGT account password reset script step 5

If everything looks good, proceed to the next step.

Real reset mode

Do the same steps as above. But, this time, press option 6.

The output will show that a new password is set for the account KRBTGT.

KRBTGT account password reset script step 6

The KRBTGT account password reset script successfully set a new password for the KRBTGT account.

Verify KRBTGT account password has been set

Start Active Directory Users and Computers (ADUC). Find the user object krbtgt and double-click on it to open the properties. Click the tab Attribute Editor. Find the attribute pwdLastSet.

In our example, we can verify that the KRBTGT account was successfully reset on 24 February 2024 (today).

Verify KRBTGT pwdLastSet succeed

Check Windows Security event logs

After you run Mode 5 – Simulation Mode, the below events appear in the Security event logs:

  • Event ID 4662
KRBTGT simulation mode

After you run Mode 6 – Real Reset Mode, the below events appear in the Security event logs:

  • ID 4662
  • ID 4738
  • ID 4724
KRBTGT real reset mode

This is what Event ID 4724 looks like.

An attempt was made to reset an account’s password

KRBTGT account password reset real reset mode 4738

This is what Event ID 4738 looks like.

A user account was changed.

KRBTGT account password reset real reset mode 4724

Reset KRBTGT account password twice

Wait for AD replication to complete and do the same step to change the KRBTGT password. If you have a multi-site and want to wait for replication to complete, that’s fine and recommended. Then, wait for the next day and run the script to change the KRBTGT account password.

The password must be changed twice to remove the password history effectively. Changing once, waiting for replication to complete, and changing again reduces the risk of issues.

Check the KRBTGT account pwdLastSet attribute after the second password reset.

That’s it!

Read more: Active Directory health check with PowerShell script »

Conclusion

You learned how to reset the KRBTGT account password. Run the reset KRBTGT account password PowerShell script in simulation mode first. After that, run the PowerShell script in real reset mode. Do not forget to wait for AD replication to complete and rerun the script again to remove the password history.

Did you enjoy this article? You may also like Export inactive users from Active Directory report. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 13 Comments

  1. Hi,
    Is there a risk or something else of changing the Kerberos password ?
    I mean, can we reset the password during the day without causing problems for active users? Or we have to change it before leaving, in the evening ?

    Regards,

  2. What is the event generated after changing the KRBTGT account password? I would like to monitor this event!

    1. You can monitor the events in Windows Logs > Security:

      – First event: 4724 (An attempt was made to reset an account’s password)
      – Second event: 4738 (A user account was changed)

  3. Great script but I’d suggest changing the Text colour to RED if an error is found in checking phase – I didn’t noticed I had a DC offline until AFTER running the script in mode 6, didn’t spot in when running mode 5.

    1. I just came here for the same reason. I saw a guide with the “right-click change password” And I could understand the complexity of the ps1 script

      On my DC that script prints a lot of errors on not closed quotes, etc

      I will just go with the right click change password thing

  4. Hi
    Nice article
    Is it worth to execute the other mode for test and precheck as it suggests when you run the script:

    It is highly recommended to use the following order of execution: !!!
    Mode 1 – Informational Mode (No Changes At All)
    Mode 8 – Create TEST KrbTgt Accounts
    Mode 2 – Simulation Mode (Temporary Canary Object Created, No Password Reset!)
    Mode 3 – Simulation Mode – Use KrbTgt TEST/BOGUS Accounts (No Password Reset, Check Only!)
    Mode 4 – Real Reset Mode – Use KrbTgt TEST/BOGUS Accounts (Password Will Be Reset Once!)
    Mode 5 – Simulation Mode – Use KrbTgt PROD/REAL Accounts (No Password Reset, Check Only!)
    Mode 6 – Real Reset Mode – Use KrbTgt PROD/REAL Accounts (Password Will Be Reset Once!)
    Mode 9 – Cleanup TEST KrbTgt Accounts (Could be skipped to reuse accounts the next time!)

  5. Hi Ali, nice work!
    The only thing is do we need to know what password does the script set to?
    Cheers, Mark

Leave a Reply

Your email address will not be published. Required fields are marked *