Skip to content

PSSecTools/Krbtgt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
.github/workflows
.github/workflows
 
 
Krbtgt
Krbtgt
 
 
build
build
 
 
library/Krbtgt
library/Krbtgt
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
install.ps1
install.ps1
 
 

Repository files navigation

Krbtgt

Welcome to the project to deliver on all your Krbtgt account password reset issues.

How to use

Reset-KrbPassword

And that's all you need ... unless you need to reset the krbtgt account for Read Only DCs, in which case you'll also want to use this:

Reset-KrbRODCPassword

Prerequisites

  • All Domain Controllers need to be manageable by WinRM & PowerShell Remoting
  • Modules required on the executing computer:
    • Active Directory Module
    • PSFramework Module
    • Group Policy Module (optional)

The Procedure

For the full krbtgt password reset, Reset-KrbPassword will perform the following operations:

  • Retrieve the krbtgt account and check, whether it is safe to reset the password
    • It checks the PwdLastSet property for the last time it was reset
    • It checks group policy for the Kerberos configuration to calculate the next safe reset time (valid ticket duration + 2x Time Skew)
    • This validation can be disabled using the -Force parameter (Note: Doing so will have a HUGE impact on most production environments)
  • Perform a test password reset with a dummy account
    • Creates a temporary account and ensures, the password reset is properly replciated using the same tools as the main reset will be using.
  • Reset the krbtgt account password on the PDC Emulator
  • Force all DCs in the domain to do a single object replication of the krbtgt account against the PDC

Logging

The entire procedure is automatically logged using the PSFramework module.

All actions are logged to memory and can be retrieved using:

Get-PSFMessage

Furthermore, it will automatically create a debug log that is by default written to AppData of the executing user. To access the specific path it will write to, execute the following line:

Get-PSFConfigValue -FullName PSFramework.Logging.FileSystem.LogPath

Logs are (by default) retained for 7 days. This logging can be extended to log to persisted files are straight to your SIEM solution of choice. For more details on this system, see PSFramework Quickstart Guide to Logging.

More Tools

  • Use Test-KrbPasswordReset in order to do just the test run without any action.
  • Use Get-KrbAccount to retrieve information on the krbtgt account.

About

Module to update the Krbtgt password

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

45 stars

Watchers

6 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages