Recently one of my customers want to change KRBTGT password for security reason. This account present in Active Directory is used by Key Distribution Centre. He is disabled and he can’t be deleted or enlabled. It’s recommanded to change his password two or four times by year.
Microsoft provide a powershell script for change the password of KRBTGT account. You can download it here.
Click on New-CtmADKrbtgtKeys.zip for download the file.
Before run the script, PwdLastSet of my krbtgt account is equal to 28/11/2020 21:42:17. I have promoted this server at this time.
Extract the zip file on the domaine controller server. The powershell script is present on the zip file.
Open a powershell command prompt with admin right and run the script with the following command :
If execution policy for Powershell script is by default, you have the following error message.
Modify the execution policy with the following command :
set-executionpolicy -executionpolicy bypass
You can now run the script. Three option is available :
1 - Information mode
With information mode, the password is not modified and the replication is performed. Only different tests are performed on this mode.
2 - Simulation mode
Only replication test has been tested. The password is not modified. With this mode, you can have an estimated time of the total duration.
3 - Reset mode
Password of the ktgt is changed and the replication is performed
Enter Y on the powershell command prompt for launch reset of the password.
The password has been modified and replication has been performed. The value of pwsLastSet has been modify.