Reset The KrbTgt Account Password/Keys For RWDCs/RODCs

Information provided by Microsoft explaining why this is important https://cloudblogs.microsoft.com/microsoftsecure/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/ -The original script written by Jared Poeppelman, who works for Microsoft. https://

 
 
 
 
 
5 Star
(2)
2,486 times
Add to favorites
Active Directory
2/18/2020
E-mail Twitter del.icio.us Digg Facebook
  • Create scheduled task
    2 Posts | Last post February 10, 2020
    • In addition to my last question - it'd be cool to be able to schedule this to run automatically (and email out results...) on a routine - I'd imagine this wouldn't be hard to tweak and force selections and an email out instead of pump to screen/log file - but it seems this would be nice to have as a parameter / option in the script, so thought I'd put it as a suggestion here!
      Thanks
    • Hi,
      
      Sorry, I will not implement that as this is a process that needs to be in control. Accidentally running that scheduled more than once in a timeframe that is too short will have serious impact.
      Regards,
      Jorge
  • Run against a different forest/domain
    2 Posts | Last post February 10, 2020
    • I have admin (builtin\administrator) rights but via an admin domain through a trust... if I log in and try and run the script, it runs in the user domain context - I need to run it against other domains though - is this going to be possible?  it's a bit awkward to create an admin account to run the script and then remove it again afterwards...
      Thanks
    • Hi,
      
      I have updated the script to support the following:
      * Targeting AD domains in the same AD forest as the running user account
      * Targeting AD domains in a remote AD forest where the running user account has permissions through a (forest) trust
      * Targeting AD domains in a remote AD forest where the running user account does not have permissions as there is no (forest) trust, credentials from the remote AD forest is used
      
      Regards,
      jorge
  • Language issue
    4 Posts | Last post February 10, 2020
    • Hi,
      
      When using mode 8, you try to add the krbtgt_TEST user in the "Denied RODC Password Replication Group" but you should use SID because of language translation (ie in french : "Groupe de réplication dont le mot de passe RODC est refusé"). 
      
      Otherwise :
      Get-ADGroupMember : Impossible de trouver un objet avec l'identité « Denied RODC Password Replication Group » sous : « DC=myadvens,DC=lan ».
      Au caractère C:\Scripts\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1:829 : 32
      +             $membershipDeniedPRPGroup = Get-ADGroupMember -Identity 'Denied RODC Password ...
      +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ObjectNotFound: (Denied RODC Password Replication Group:ADGroup) [Get-ADGroupMember], ADIdentityNotFoundException
          + FullyQualifiedErrorId : Impossible de trouver un objet avec l'identité « Denied RODC Password Replication Group » sous : « DC=myadvens,DC=lan ».,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMembe
      
      Add-ADGroupMember : Impossible de trouver un objet avec l'identité « Denied RODC Password Replication Group » sous : « DC=myadvens,DC=lan ».
      Au caractère C:\Scripts\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1:838 : 5
      +                 Add-ADGroupMember -Identity 'Denied RODC Password Replication Group' -Member ...
      +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ObjectNotFound: (Denied RODC Password Replication Group:ADGroup) [Add-ADGroupMember], ADIdentityNotFoundException
          + FullyQualifiedErrorId : Impossible de trouver un objet avec l'identité « Denied RODC Password Replication Group » sous : « DC=myadvens,DC=lan ».,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMembe
    • has been fixed
    • Hello,
      You wrote that the localization of the group names "has been fixed", but the script that is available for download is still version 2.3 where the group names are hard coded in English:
      'Denied RODC Password Replication Group'
      'Allowed RODC Password Replication Group'
      Could you please publish the updated version?
      Thanks !
    • Hi,
      
      I had forgotten about the Allowed and Denied groups. Those have now been fixed too!
      enjoy!
      Regards,
      jorge
  • Exception calling "SetInfo" with "0" argument(s)
    3 Posts | Last post December 19, 2019
    • I ran the script in 3 Forests, including all 4 subdomains in one of them. It worked perfectly in all except one of the subdomains. In that subdomain it gave me the following error when attempting to reset the password on all of the RODC accounts (error was produced once for each RODC):
      
      [2019-12-10 16:40:21] :
      [2019-12-10 16:40:21] :   - Contacting DC in AD domain ...[MYDC.MY.DOMAIN.LOCAL]...
      [2019-12-10 16:40:21] :      * DC is Reachable...
      Exception calling "SetInfo" with "0" argument(s): "An operations error occurred.
      "
      At C:\Scripts\Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1:465 char:2
      +     $rootDSE.SetInfo()
      +     ~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
          + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI
      
      [2019-12-10 16:40:23] :      * The new password for Object [CN=krbtgt_xxxxx,CN=Users,DC=MY,DC=DOMAIN,DC=LOCAL] now does exist in the AD database
      [2019-12-10 16:40:23] :
      
      It appears this might just mean that the change was not immediately replicated. Is that the case? Any idea why this error occurred? I did not see anything unusual in the rest of the output, and the reset for the RWDC account password worked without any problems.
    • Hi,
      It did set the password. It fails in the function "replicateSingleADObject" which basically forces the replication on the RODC of the object from the RWDC where the password was set. Forcing replication is something extra to make the DC have the latest secrets of the krbtgt account. If you do not for repl, it will stiff get there eventually!
      Honestly I do not know why this is happening. The only thing I can say is that a DC (RWDC/RODC) is reachable if both port 135 and 389 (both TCP) are usable against the DC. Any firewalls preventing that traffic?
      Regards,
      jorge
    • by the way, have you tried using the canary object and the test krbtgt accounts for both RWDCs and RODCs? If the result the same for that RODC. using either the canaryObject option or the test accounts option, there is not impact on the environment besides you creating either a contact object or test user account to use instead of using the real krbtgt accounts
      regards,
      jorge
  • Scope of KrbTgt question
    2 Posts | Last post December 19, 2019
    • Hello,
      
      Thank you for taking the time to create this.  I have 3 RWDC and 1 RODC. I'm a bit confused as to the timing of the targeting.  Once I'm ready to run Mode 4, would I target "1 - Scope of KrbTgt in use by all RWDCs in the AD Domain" and then run script again right away and target "4 - Scope of KrbTgt in use by specific RODC - All RODCs in the AD Domain"?  
    • Hi,
      
      Sorry for the very late reply. I did not get any notification about your Q. Just saw it now. In general, you choose to target the krbtgt account in use by all RWDCs in the Ad domain. The you can decide to either only do 1 RODC, all RODCs or a specific set of RODCs. So if you have both RWDCs and RODCs, you would need to run the script twice per AD domain. 1x for the RWDCs and 1x for all RODCs in the AD domain
      regards,
      jorge
  • Admin groups membership
    2 Posts | Last post February 13, 2019
    • Hi
      Couple of problems:
      1. Script checks local token for Admin groups while it has to check network token (they can be different because of UAC).
      2. Admin groups are identified by names (i.e. "Domain Admins") while they have to be identified by SIDs (names are localized or can be changed). For example:
      (New-Object Security.Principal.WindowsPrincipal $currentUser).IsInRole((New-Object System.Security.Principal.SecurityIdentifier AccountDomainAdminsSid, $(Get-ADDomain $adDomainInADForest).DomainSID))
    • Hi,
      
      Fixed [2]
      Could not fix [1] as I have no environment to test that at the moment
      
      Best Regards,
      Jorge