Recently one of my customers want to change KRBTGT password for security reason. This account present in Active Directory is used by Key Distribution Centre. He is disabled and he can’t be deleted or enlabled. It’s recommanded to change his password two or four times by year.

Change password

Microsoft provide a powershell script for change the password of KRBTGT account. You can download it here.

Click on New-CtmADKrbtgtKeys.zip for download the file.

Before run the script, PwdLastSet of my krbtgt account is equal to 28/11/2020 21:42:17. I have promoted this server at this time.

Extract the zip file on the domaine controller server. The powershell script is present on the zip file.

Open a powershell command prompt with admin right and run the script with the following command :

.\New-CtmADKrbtgtKeys.ps1

If execution policy for Powershell script is by default, you have the following error message.

Modify the execution policy with the following command :

set-executionpolicy -executionpolicy bypass

You can now run the script. Three option is available :

1 - Information mode

With information mode, the password is not modified and the replication is performed. Only different tests are performed on this mode.

2 - Simulation mode

Only replication test has been tested. The password is not modified. With this mode, you can have an estimated time of the total duration.

3 - Reset mode

Password of the ktgt is changed and the replication is performed

Enter Y on the powershell command prompt for launch reset of the password.

Verify modification

The password has been modified and replication has been performed. The value of pwsLastSet has been modify.