krbtgt password

niaidsdt
niaidsdt used Ask the Experts™
on
Have a question about the krbtgt account in an Active Directory domain.  Per some government regulations, all accounts in a given domain need to have their passwords updated every 120 days.  Pulling reports, the krbtgt is coming up as it hasn't been updated since October 2011.

To the best of my knowledge the krbtgt is an internaly maintined account to active direcotry and best practice is to just leave it alone as it's pivital to Kerberose.  Some docs i've found say it's updated regulary but doesnt' say what events will trigger an update.  Can someone help shed some light on when the account gets updated?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
What utility are you using to scan your systems? You can exempt service accounts from this requirement.

Author

Commented:
we are using powershell and other tools to crawl our domain and report upon accounts.  Yes, i can exempt just looking for details/facts about when AD updates the krbgtg account so i can accuratly provide information to mgmt.
Top Expert 2013

Commented:
There is actually confusion in some Microsoft docs on this.  The askPFE team recently talked about this too

http://blogs.technet.com/b/askpfeplat/archive/2012/04/09/a-few-things-you-should-know-about-raising-the-dfl-and-or-ffl-to-windows-server-2008-r2.aspx

Some TechNet articles have stated that the krbtgt password is periodically changed but that is not true. There is obvious concern that this password does not change, but this password is very complex and this account is also disabled by default.


You probably say Jane's article    http://blogs.technet.com/b/janelewis/archive/2006/12/19/the-krbgt-account-what-is-it.aspx

I support the federal govt too.  We get waivers for accounts like krbgt.

Thanks

Mike
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

I support Uncle Sam too. I have ran the DISA Gold Disk against many DCs and this account never ever pops up for a CAT. Hence my curiosity earlier.

Author

Commented:
motnahp00:  open up active directory users and computer > Click view advanced > browse directly to the krbtgt account > right click properties > attributes tab and check pwdlastset.

mike:  problem is the institue i work for doesn't have a blanket policy.  We can have 60, 120, 365 and never.  The verbage for never is very weak stating that at some point in time it must be updated.  I'll have to check the policy to verify that what i'm saying about never is true.

With any regards, the waivers will need some kind of "how am i going to secure this account" justification.  Anyone got any Microsoft KB's saying to just leave it alone?  I guess i could just say it will be disabled always and can not be enabled.  That should do.......
Top Expert 2013
Commented:
If you have to change it you can just wait for replication and things should work, Florian discussed it here   http://msgroups.net/microsoft.public.windows.server.active_directory/krbtgt-Password-Changed

One thing is he said 8 hours.  I think it is 10.  I can ping him offline about that (not a huge deal)

It is a fairly secure account by default   http://support.microsoft.com/kb/229909

Thanks

Mike
I'm aware of account attributes.

I could not find a KB regarding leaving this account alone. Hmm... inherited controls... access and administration of service account restricted to Domain Admins / Enterprise Admins. If that doesn't work feel free to disable and look forward to the ramifications later. :)

Author

Commented:
Thanks Mike.  I'm going to reference that KB as my justification.  Sucks M$ doesn't provide docs about when it's updated.  Thinking about the date ours was last set was when we raised the DFL from 2003 to 2008.  My guess is this is the only time it is updated.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial