niaidsdt
asked on
krbtgt password
Have a question about the krbtgt account in an Active Directory domain. Per some government regulations, all accounts in a given domain need to have their passwords updated every 120 days. Pulling reports, the krbtgt is coming up as it hasn't been updated since October 2011.
To the best of my knowledge the krbtgt is an internaly maintined account to active direcotry and best practice is to just leave it alone as it's pivital to Kerberose. Some docs i've found say it's updated regulary but doesnt' say what events will trigger an update. Can someone help shed some light on when the account gets updated?
To the best of my knowledge the krbtgt is an internaly maintined account to active direcotry and best practice is to just leave it alone as it's pivital to Kerberose. Some docs i've found say it's updated regulary but doesnt' say what events will trigger an update. Can someone help shed some light on when the account gets updated?
motnahp00
What utility are you using to scan your systems? You can exempt service accounts from this requirement.
ASKER
we are using powershell and other tools to crawl our domain and report upon accounts. Yes, i can exempt just looking for details/facts about when AD updates the krbgtg account so i can accuratly provide information to mgmt.
There is actually confusion in some Microsoft docs on this. The askPFE team recently talked about this too
http://blogs.technet.com/b/askpfeplat/archive/2012/04/09/a-few-things-you-should-know-about-raising-the-dfl-and-or-ffl-to-windows-server-2008-r2.aspx
You probably say Jane's article http://blogs.technet.com/b/janelewis/archive/2006/12/19/the-krbgt-account-what-is-it.aspx
I support the federal govt too. We get waivers for accounts like krbgt.
Thanks
Mike
http://blogs.technet.com/b/askpfeplat/archive/2012/04/09/a-few-things-you-should-know-about-raising-the-dfl-and-or-ffl-to-windows-server-2008-r2.aspx
Some TechNet articles have stated that the krbtgt password is periodically changed but that is not true. There is obvious concern that this password does not change, but this password is very complex and this account is also disabled by default.
You probably say Jane's article http://blogs.technet.com/b/janelewis/archive/2006/12/19/the-krbgt-account-what-is-it.aspx
I support the federal govt too. We get waivers for accounts like krbgt.
Thanks
Mike
I support Uncle Sam too. I have ran the DISA Gold Disk against many DCs and this account never ever pops up for a CAT. Hence my curiosity earlier.
ASKER
motnahp00: open up active directory users and computer > Click view advanced > browse directly to the krbtgt account > right click properties > attributes tab and check pwdlastset.
mike: problem is the institue i work for doesn't have a blanket policy. We can have 60, 120, 365 and never. The verbage for never is very weak stating that at some point in time it must be updated. I'll have to check the policy to verify that what i'm saying about never is true.
With any regards, the waivers will need some kind of "how am i going to secure this account" justification. Anyone got any Microsoft KB's saying to just leave it alone? I guess i could just say it will be disabled always and can not be enabled. That should do.......
mike: problem is the institue i work for doesn't have a blanket policy. We can have 60, 120, 365 and never. The verbage for never is very weak stating that at some point in time it must be updated. I'll have to check the policy to verify that what i'm saying about never is true.
With any regards, the waivers will need some kind of "how am i going to secure this account" justification. Anyone got any Microsoft KB's saying to just leave it alone? I guess i could just say it will be disabled always and can not be enabled. That should do.......
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm aware of account attributes.
I could not find a KB regarding leaving this account alone. Hmm... inherited controls... access and administration of service account restricted to Domain Admins / Enterprise Admins. If that doesn't work feel free to disable and look forward to the ramifications later. :)
I could not find a KB regarding leaving this account alone. Hmm... inherited controls... access and administration of service account restricted to Domain Admins / Enterprise Admins. If that doesn't work feel free to disable and look forward to the ramifications later. :)
ASKER
Thanks Mike. I'm going to reference that KB as my justification. Sucks M$ doesn't provide docs about when it's updated. Thinking about the date ours was last set was when we raised the DFL from 2003 to 2008. My guess is this is the only time it is updated.