Active Directory: change the KrbTgt account password

In this tutorial, I will explain how to change the password of the KrbTgt account.

Before explaining how to change the password of this account, I will give you some explanations.

Who is krbtgt?

The krbtgt account is a disabled service account in the Active Directory, which is used for the distribution of Kerberos Tickets, it intervenes in the Kerberos authentication process.

This account has the following features:

  • Is disabled
  • It keeps 2 passwords in its history

As a reminder, Kerberos tickets have a validity of 10 hours by default and this is configured in the Default Domain Policy.

The user account is in the Users container, as you can see in the screenshot below, we don’t see the account.

To see the account, it is necessary to switch the view to advanced features and you can see the krbtgt account.

Now that you have the basic information about this account, I will explain why to change the password.

Why change the krbtgt password

The main reason is security, in case of compromise or doubt of attack of your Active Directory environment by Golden Ticket attacks, it is imperative to change the password of the account.

It is also advisable to change the password once a year.

Change krbtgt account password

Changing the password is not something complicated to do, but it requires going through a PowerShell script, changing the password through the GUI does not work and it should not be done.

Microsoft does not offer a tool to do this, but there is a “more or less official” script that allows you to do this.

Download the script, here are several links:

Once downloaded, go to a domain controller, preferably the controller that has the FSMO role: PDC.

Launch a PowerShell prompt as administrator and run the script.

When the script is launched, it asks you if you want to read the script information, enter YES or NO.

For my part, I answered NO.

Then you will have to choose the execution mode, here it is choice 6 that interests us to change the password, enter 6.

Depending on the version of the script, the mode number may change, before production, I advise you to test a test mode. Ideally.

If you have several Active Directory forests, indicate the domain name, otherwise validate by pressing Enter.

You must then indicate the Active Directory domain, again, if you have a single domain, press Enter directly to validate, otherwise indicate the domain name.

The script will test if the current user is authorized to make this change.

We must now indicate the KrbTgt accounts that will be impacted by the change of password, here having no read-only domain controllers, I will choose 1 and validate by pressing Enter.

Confirm password change by typing CONTINUE and pressing Enter.

The first pass change is made.

To complete the change of password, the operation must be repeated after 10 hours, because in order not to invalidate all the tickets already distributed, the account keeps the old password in memory.

Now you know how to change the KrbTgt account password.

In order to familiarize yourself with the operation, I advise you to do it in a Lab environment before.

Normally this operation can be carried out during the day, but I still advise you to do it on a weekend.