It is therefore strongly recommended to wait 24 hours between resets, rather than just the minimum recommended 10 hours.<\/p>\n\n\n\n
Resetting the KRBTGT account password twice is essential because Active Directory stores the previous two passwords for Kerberos ticket validation. The first reset creates a new password but keeps the (potentially) compromised one in history; the second reset eliminates the old password entirely, rendering active forged “golden tickets” invalid.<\/p>\n\n\n\n
It is not recommended to automate the process of resetting the KRBTGT password due to the risk of the process going wrong and resulting in service unavailability.<\/strong><\/p>\n\n\n\n Do not attempt to reset the KRBTGT_AzureAD account password without fully understanding the process and what is required, there is a specific process that differs from the below for resetting this particular account password.<\/strong><\/p>\n\n\n\n https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/howto-authentication-passwordless-security-key-on-premises<\/a><\/p>\n\n\n\n How to complete the reset of this particular KRBTGT_AzureAD account is beyond the scope of this article; as is the reset of the KRBTGT_XXXXX (Number) accounts used by Read Only Domain Controllers.<\/p>\n\n\n\n Find when the KRBTGT password was last changed with:<\/p>\n\n\n\n You should see an output such as the following which shows that the KRBTGT password was last reset on 13th December 2012 at 09:21:05<\/strong> in the morning.<\/p>\n\n\n\n Find when the KRBTGT password was last changed with the below script, this script has the added bonus that it will seek out and find all of the KRBTGT accounts you may have in your domain and report on those.<\/p>\n\n\n\n Be aware that you only have one KRBTGT account per Active Directory Domain, the additional accounts will only exist if you have Read Only Domain Controllers (RODC) and\/or Active Directory Directory Sync to Microsoft 365.<\/p>\n\n\n\n krbtgt_getinfo.ps1<\/strong><\/p>\n\n\n\n Gets the output of:<\/p>\n\n\n\n As you can see we can see a number of KRBTGT accounts, the one called “KRBTGT” is domain’s Ticket Granting Ticket account, it is this which we want to reset (typically), the other two called KRBTGT_35708 and KRBTGT_4536 are used by RODC, we typically won’t need to reset these, but you may also wish to. The last one KRBTGT_AzureAD is a special use KRBTGT account for Active Directory ADSync.<\/p>\n\n\n\n Unless the lifetime has been changed by someone, this will be set to the default 10 Hours. To verify this the following PoweShell may be used. The GUID is apparently the same across any forest and domain, but add your Domain you want to inspect at the end:<\/p>\n\n\n\n You should now get a number the output showing the Maximum TGT Lifetime in hours.<\/p>\n\n\n\n As per this article: https:\/\/adsecurity.org\/?p=483<\/a>, the following is mentioned:<\/p>\n\n\n\n Note: Changing the KRBTGT password is only supported by Microsoft once the domain functional level is Windows Server 2008 or greater. This is likely due to the fact that the KRBTGT password changes as part of the DFL update to 2008 to support Kerberos AES encryption, so it has been tested.<\/p>\n<\/blockquote>\n\n\n\n So because the domain and forest is now running beyond the 2008 functional level, we are at the time of writing on 2016 Functional Level (for Domain and Forest), the DFL triggered a reset of the password, therefore it has AES credentials (effectively), so although we appear to be good, we’ll reset the password anyway. We’re concerned about this because of the retirement of the RC4 Cipher in April 2026, in our case it appears the KRBTGT has the necessary AES credentials, but a reset of the KRBTGT password will just ensure doubly that this is the case.<\/p>\n\n\n\n The password reset can be completed manually (its not a complicated procedure), the Microsoft article: https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/manage\/forest-recovery-guide\/ad-forest-recovery-reset-the-krbtgt-password<\/a> explains how to complete these steps. We are going to use a script that has been written for just this purpose.<\/p>\n\n\n\n Like with many things, you just do what Ali says: https:\/\/www.alitajran.com\/krbtgt-password-reset\/<\/a><\/p>\n\n\n\n Because we only have a single domain within the forest we do not need to follow the process of resetting the KRBTGT in each child domain first (citation<\/a>).<\/p>\n\n\n\n No considerations could be found that referenced a problem with resetting the KRBTGT and any effect on the Forest Trust to the hinxtonit.com<\/a> Forest (and domain).<\/p>\n\n\n\n Ensure you have valid Active Directory backups available and recently taken and tested so you can perform a restoration of the whole of Active Directory if it were so to be required.<\/p>\n\n\n\n To manually check the replication status you can use the commands to look for any issues identified:<\/p>\n\n\n\n Other useful commands can be found in:\u00a0https:\/\/activedirectorypro.com\/repadmin-how-to-check-active-directory-replication\/<\/a><\/p>\n\n\n\n From an Active Directory Domain Controller, using a user accont with Domain Admin privileges perform the following steps:<\/p>\n\n\n\n 1. Select Start<\/strong>, point to Control Panel<\/strong>, point to Administrative Tools<\/strong>, and then select Active Directory Users and Computers<\/strong>. The password that you specify isn’t significant because the system generates a strong password automatically independent of the password that you specify. But you may want to make a record of it anyway.<\/p>\n\n\n\n The following PowerShell will generate a random secure password which you may want to use, but being that the system generates another one that it actually uses its kind of irrelevant.<\/p>\n\n\n\n Verify the KRBTGT account password has been changed by running the PowerShell command:<\/p>\n\n\n\n And observing that the date and time of the PasswordLastSet<\/strong> attribute have changed to the date and time of the 1st password change attempt.<\/p>\n\n\n\n Examine the Windows Event log, specifically the Security log and look for the following event IDs, potentially in this order:<\/p>\n\n\n\n You are looking to verify that the KRBTGT account password has been successfully reset.<\/p>\n\n\n\n Examine the Windows Event log via Splunk, specifically the Security log and look for the following Event IDs:<\/p>\n\n\n\n You can also if you wish filter for the Target Account Name and Keywords if you have a busy number of account passwords resets taking place due to normal course of business.<\/p>\n\n\n\n You are looking to verify that the KRBTGT account password has been successfully reset. <\/p>\n\n\n\n Note your index name will likely be different.<\/p>\n\n\n\n Verify that Active Directory Domain Controller replication has been successful following the first password change.<\/p>\n\n\n\n Additionally verify there are no obvious issues with authentication following the change of the password.<\/p>\n\n\n\n From an Active Directory Domain Controller, using a user accont with Domain Admin privileges perform the following steps:<\/p>\n\n\n\n ATTENTION<\/strong>: Do not proceed with the following steps until at least 24 hours have passed since the last KRBTGT account password reset.<\/p>\n\n\n\n Failure to wait at least 10 hours (or whatever the maximum ticket lifetime is) will result in valid Kerberos Tickets being invalidated incorrectly and loss of availability.<\/p>\n\n\n\n 1. Select Start<\/strong>, point to Control Panel<\/strong>, point to Administrative Tools<\/strong>, and then select Active Directory Users and Computers<\/strong>. The password that you specify isn’t significant because the system generates a strong password automatically independent of the password that you specify. But you may want to make a record of it anyway.<\/p>\n\n\n\n Repeat the tasks that were detailed in Step 5<\/strong> to verify that the KRBTGT password was successfully reset for the second time.<\/p>\n\n\n\n Repeat the tasks that were details in Step 6 to verify the Active Directory replication is successful and authentication is working as expected.<\/p>\n\n\n\n And that, is it, you have successfully reset the KRBTGT account password.<\/p>\n\n\n\n You can use some PowerShell scripts that can semi-automate the process. You may or may not want to use these.<\/p>\n\n\n\n Download the Active Directory Health and Replication Status script from: https:\/\/www.alitajran.com\/active-directory-health-check-powershell-script\/<\/a> and place onto a Domain Controller ready for use.<\/p>\n\n\n\n You can then verify the output by examining the HTML file generated in the same directory as the script was run from.<\/p>\n\n\n\n Download the password reset script from: https:\/\/github.com\/zjorz\/Public-AD-Scripts\/blob\/master\/Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1<\/a> and place onto a Domain Controller ready for use. The script will need to be run by a user with Domain Administrator privileges.<\/p>\n\n\n\n Run the script within an elevated PowerShell console prompt (which has the Active Directory Module available), we’ll bypass (answer “A” when prompted) the need for digital signing because the script is not been digitally signed, but has been reviewed by Sanger staff and is safe for use. <\/p>\n\n\n\n You can then perform a dry run, or a real password reset.<\/p>\n\n\n\n The periodic reset of the KRBTGT password is now recommended by Microsoft to be carried out every 180 days. Resetting the password periodically reduces the risks of a Kerbroasting attack being successful. To ensure the KRBTGT password is fully reset you MUST perform this reset operation twice. And you MUST wait a bare minimum of … Read more<\/a><\/p>\n","protected":false},"author":4,"featured_media":4367,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27,14],"tags":[],"class_list":["post-5209","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory","category-microsoft-windows"],"_links":{"self":[{"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/5209","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5209"}],"version-history":[{"count":1,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/5209\/revisions"}],"predecessor-version":[{"id":5214,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/5209\/revisions\/5214"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/media\/4367"}],"wp:attachment":[{"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Find Last Change Date (Powershell)<\/h1>\n\n\n\n
Get-ADUser \"krbtgt\" -Property Created, PasswordLastSet<\/code><\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2026\/04\/image-13.png\")
<\/figure>\n\n\n\nFind Last Change Date (Script)<\/h1>\n\n\n\n
import-module activedirectory\n$ADForestRootDomain = (Get-ADForest).RootDomain\n$AllADForestDomains = (Get-ADForest).Domains\n$ForestKRBTGTInfo = @()\nForEach ($AllADForestDomainsItem in $AllADForestDomains)\n{\n[string]$DomainDC = (Get-ADDomainController -Discover -Force -Service \u201cPrimaryDC\u201d -DomainName $AllADForestDomainsItem).HostName\n[array]$ForestKRBTGTInfo += Get-ADUSer -filter {name -like \u201ckrbtgt*\u201d} -Server $DomainDC -Prop Name,Created,logonCount,Modified,PasswordLastSet,PasswordExpired,msDS-KeyVersionNumber,CanonicalName,msDS-KrbTgtLinkBl\n}\n$ForestKRBTGTInfo | Select Name,Created,logonCount,PasswordLastSet,PasswordExpired,msDS-KeyVersionNumber,CanonicalName | ft -auto<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2026\/04\/image-14-1024x130.png\")
<\/figure>\n\n\n\nFind Maximum TGT Lifetime (in Hours)<\/h1>\n\n\n\n
[xml]$gpo = Get-GPOReport -Guid '{31B2F340-016D-11D2-945F-00C04FB984F9}' -ReportType Xml -ErrorAction Stop -Domain internal.domain.com\n\n$MaxTgtLifetimeHours = (($gpo.gpo.Computer.ExtensionData | Where-Object { $_.name -eq 'Security' }).Extension.ChildNodes | Where-Object { $_.Name -\neq 'MaxTicketAge' }).SettingNumber\n\nWrite-Host \"$MaxTgtLifetimeHours Hours\"<\/code><\/pre>\n\n\n\nUp to Date Credential Encryption<\/h1>\n\n\n\n
\n
KRBTGT Password Reset Procedure<\/h1>\n\n\n\n
Step 1 – Considerations for Multi-Domain and Forest Trusts<\/h2>\n\n\n\n
Step 2 – Ensure Backups of Active Directory Exist<\/h2>\n\n\n\n
Step 3 – Check Active Directory Health and Replication Status<\/h2>\n\n\n\n
repadmin \/showrepl\nrepadmin \/replsummary\nrepadmin \/queue<\/code><\/pre>\n\n\n\nStep 4 – Reset the KRBTGT Account Password – 1st Time Pass<\/h2>\n\n\n\n
2. Select View<\/strong>, and then select Advanced Features<\/strong>.
3. In the console tree, double-click the domain container, and then select Users<\/strong>.
4. In the details pane, right-click the krbtgt <\/strong>user account, and then select Reset Password<\/strong>.
5. Clear (untick) <\/strong>the User must change password at next logon<\/strong> check box, and then click OK<\/strong>. Important!
6. In New password<\/strong>, type a new password, retype the password in Confirm password<\/strong>, and then select OK<\/strong>.<\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2026\/04\/image-15.png\")
<\/figure>\n\n\n\n[Reflection.Assembly]::LoadWithPartialName(\u201cSystem.Web\u201d)\n$RandPassLength = [int] 128\nWrite-Output \u201cGenerating Random Password of $RandPassLength Characters\u201d\n$RandomPassword = [System.Web.Security.Membership]::GeneratePassword($RandPassLength,2)\n$RandomPassword<\/code><\/pre>\n\n\n\nStep 5 – Verify Password Reset after 1st Time Pass<\/h2>\n\n\n\n
Get-ADUser \"krbtgt\" -Property Created, PasswordLastSet<\/code><\/pre>\n\n\n\nEvent Viewer<\/h3>\n\n\n\n
\n
Splunk<\/h3>\n\n\n\n
\n
index=\"wineventlog\" LogName=\"Security\" EventCode IN (\"4724\",\"4738\") earliest=-2d@d latest=now Target_Account_Name=krbtgt Keywords=\"Audit Success\"<\/code><\/pre>\n\n\n\nStep 6 – Verify Replication Successful<\/h2>\n\n\n\n
repadmin \/showrepl\nrepadmin \/replsummary\nrepadmin \/queue<\/code><\/pre>\n\n\n\nrepadmin.exe \/showattr *.internal.domain.com\u201c cn=krbtgt,cn=users,dc=internal,dc=domain,dc=com\u201d \/atts:pwdLastSet<\/code><\/pre>\n\n\n\nStep 7 – Reset the KRBTGT Account Password – 2nd Time Pass<\/h2>\n\n\n\n
2. Select View<\/strong>, and then select Advanced Features<\/strong>.
3. In the console tree, double-click the domain container, and then select Users<\/strong>.
4. In the details pane, right-click the krbtgt <\/strong>user account, and then select Reset Password<\/strong>.
5. Clear (untick) <\/strong>the User must change password at next logon<\/strong> check box, and then click OK<\/strong>. Important!
6. In New password<\/strong>, type a new password, retype the password in Confirm password<\/strong>, and then select OK<\/strong>.<\/p>\n\n\n\n![\"\"](\"https:\/\/geekmungus.co.uk\/wp-content\/uploads\/2026\/04\/image-16.png\")
<\/figure>\n\n\n\nStep 8 – Verify Password Reset after 2nd Time Pass<\/h2>\n\n\n\n
Step 9 – Verify Replication Successful<\/h2>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
PowerShell Scripts<\/h1>\n\n\n\n
Active Directory Health and Replication Status Script<\/h2>\n\n\n\n
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass\n\nc:\\script\\Get-ADHealth.ps1 -ReportFile<\/code><\/pre>\n\n\n\nKRBTGT Password Reset Script<\/h2>\n\n\n\n
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass\n\nc:\\script\\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1<\/code><\/pre>\n\n\n\nAdditional Information<\/h1>\n\n\n\n
\n