Skip to content
/ krbtgtRotate Public

krbtgtRotate is a PowerShell module for safely rotating the krbtgt account password in Active Directory environments. It ensures password changes do not disrupt Kerberos authentication by considering ticket lifetimes and clock skew.

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jschell/krbtgtRotate

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
docs
docs
 
 
en-us
en-us
 
 
private
private
 
 
public
public
 
 
tests
tests
 
 
LICENSE.txt
LICENSE.txt
 
 
ReadMe.md
ReadMe.md
 
 
krbtgtRotate.psd1
krbtgtRotate.psd1
 
 
krbtgtRotate.psm1
krbtgtRotate.psm1
 
 

Repository files navigation

krbtgtRotate

⚠️ WARNING:
The krbtgt account is a special built-in account in Active Directory used by the Kerberos Key Distribution Center (KDC) to encrypt and sign all Kerberos tickets within the domain.
Improper rotation or mishandling of the krbtgt password can result in domain-wide authentication failures, service outages, or loss of access for users and computers.
Only experienced administrators should use this module, and all actions must be thoroughly tested in a non-production environment before any production use.

Introduction

krbtgtRotate is a PowerShell module for safely rotating the krbtgt account password in Active Directory environments. It ensures password changes do not disrupt Kerberos authentication by considering ticket lifetimes and clock skew.

Requirements

  • PowerShell 3.0 or later
  • Active Directory module
  • GroupPolicy module
  • Sufficient privileges to reset the krbtgt password and write to event logs

Installation

  1. Download or clone the repository.
  2. Import the module in your PowerShell session: 
    Import-Module .\krbtgtRotate.psd1

Getting Started

1. Register the Event Log Source

Before rotating the password, register the event log source:

Register-KrbtgtEventLog

This ensures logging is set up for auditing and troubleshooting.

2. Check Minimum Password Age

Verify how long you must wait between rotations:

Get-KrbtgtPasswordMinimumAge

3. Rotate the krbtgt Password

To safely rotate the password:

Invoke-KrbtgtPasswordRotate -Force

This command will orchestrate the rotation, sync, and logging.

4. Review Logs

Logs are written to both the event log and a file (default: current directory). Check these for status and errors.

Example Usage

# Register event log source
Register-KrbtgtEventLog

# Check minimum age before rotation
Get-KrbtgtPasswordMinimumAge

# Rotate password with default settings
Invoke-KrbtgtPasswordRotate -Force

Documentation

See the docs/ folder for detailed cmdlet documentation:

Troubleshooting

  • Ensure you run PowerShell as an administrator.
  • Review event logs and output files for errors.
  • Confirm all required modules are available.

Responsibility and Warranty

This module is provided as-is, with no warranty, express or implied.
Users are solely responsible for thoroughly testing all functionality in a safe, non-production environment before deploying in production.
The authors and contributors accept no liability for any issues or damages resulting from the use of this code.

About

krbtgtRotate is a PowerShell module for safely rotating the krbtgt account password in Active Directory environments. It ensures password changes do not disrupt Kerberos authentication by considering ticket lifetimes and clock skew.

Topics

powershell active-directory kerberos

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages