Change Krbtgt password

Change Krbtgt password

Recently one of my customers want to change KRBTGT password for security reason. This account present in Active Directory is used by Key Distribution Centre. He is disabled and he can’t be deleted or enlabled. It’s recommanded to change his password two or four times by year.

Change password

Microsoft provide a powershell script for change the password of KRBTGT account. You can download it here.

Click on New-CtmADKrbtgtKeys.zip for download the file.

Change Krbtgt password - Download script file

Before run the script, PwdLastSet of my krbtgt account is equal to 28/11/2020 21:42:17. I have promoted this server at this time.

Change Krbtgt password - Value of pwdLastSet

Extract the zip file on the domaine controller server. The powershell script is present on the zip file.

Change Krbtgt password - Extract file

Open a powershell command prompt with admin right and run the script with the following command :

.\New-CtmADKrbtgtKeys.ps1
Change Krbtgt password - Launch powershell command

If execution policy for Powershell script is by default, you have the following error message.

error message due to execution policy of the powershell script

Modify the execution policy with the following command :

set-executionpolicy -executionpolicy bypass
Modify ExecutionPolicy

You can now run the script. Three option is available :

1 - Information mode

With information mode, the password is not modified and the replication is performed. Only different tests are performed on this mode.

Information mode. Test has been performed.
2 - Simulation mode

Only replication test has been tested. The password is not modified. With this mode, you can have an estimated time of the total duration.

Run the simulation mode
3 - Reset mode

Password of the ktgt is changed and the replication is performed

password of krgtgt is modified and replication is performed

Enter Y on the powershell command prompt for launch reset of the password.

Password has been reseted

Verify modification

The password has been modified and replication has been performed. The value of pwsLastSet has been modify.

pwdLastSet has been modified

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.