(2022-12-21) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 6)
Posted by Jorge on 2022-12-21
Some time ago I wrote a PowerShell script to reset the KrbTgt Account Password of both RWDCs and RODCs.
–
More information can be found through the following link:
- (2018-12-30) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs
- (2019-02-12) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 1)
- (2019-02-25) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 2)
- (2020-02-10) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 3)
- (2020-02-18) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 4)
- (2020-04-06) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 5)
Compared to the previous versions, this new version has many new updates and new features. It took some serious time to code everything, and also to test all scenarios I could think off. I deem it ready to be release to the public for all the benefit from!
Merry Christmas all, and sorry it took so long to release this. Hope it helps to stay secure and it makes your life easier!
The script itself can be downloaded through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs (PS1). If you want to use one of the new features where you want to e-mail the log file, then you also need the XML that store the mail related settings. You can download the XML through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs (XML)
–
Since the last time, the script was published, the following changes were made:
- v3.3, 2022-12-20, Jorge de Almeida Pinto [MVP-EMS]:
- Bug Fix: updated the attribute type when specifying the number of the AD domain instead of the actual FQDN of the AD domain
- v3.2, 2022-11-05, Jorge de Almeida Pinto [MVP-EMS]:
- New Feature: Adding support for scheduled/automated password reset of KrbTgt account password for either all RWDCs, all individual RODCs or specific RODCs
- New Feature: Added mail function and parameter to mail the log file for review after execution with results
- New Feature: Adding support for signed mail
- New Feature: Adding support for encrypted mail
- Bug Fix: Minor textual fixes
- Bug Fix: fix an issue where one confirmation of continueOrStop would be inherited by the next
- Bug Fix: fix an issue where the forest root domain would always be chosen as the source for replication and GPOs instead of the chosen AD domain when using custom credentials.
This caused replicate single object to fail and for the determination of the Kerberos settings in the resultant GPO - Code Improvement: Added function getServerNames to retrieve server related names/FQDNs
- Code Improvement: Added support for disjoint namespace, e.g. AD domain FQDN = ADDOMAIN.COM and DCs FQDN for that AD domain = .SOMEDNSDOMAIN.COM
- Code Improvement: Removed ALL dependencies for the ActiveDirectory PoSH module and replaced those with alternatives
- Code Improvement: Redefinition of tables holding data for processing
- Code Improvement: Upgraded to S.DS.P PowerShell Module v2.1.5 (2022-09-20)
- Improved User Experience: Added the NetBIOS name of the AD domain to the list of AD domains in an AD forest
- Improved User Experience: Added the option to the function to install required PoSH modules when not available
- Improved User Experience: Added support to specify the number of an AD domain in the list instead of its FQDN
- v3.1, 2022-06-06, Jorge de Almeida Pinto [MVP-EMS]:
- Improved User Experience: The S.DS.P PowerShell Module v2.1.4 has been included into this script (with permission and under GPL license) to remove the dependency of the AD PowerShell Module when querying objects in AD. The
ActiveDirectory PowerShell module is still used to get forest, domain, and domaincontroller information. - Improved User Experience: Removed dependency for port 135 (RPC Endpoint Mapper) and 9389 (AD Web Service)
- Bug Fix: Getting the description of the Test KrbTgt accounts in remote AD forest with explicit credentials to compare and fix later
- Code Improvement: In addition to check for the correct description, also check if the test KrbTgt accounts are member of the correct groups
- Code Improvement: Updated function createTestKrbTgtADAccount
- Bug Fix: Minor textual fixes
- Improved User Experience: The S.DS.P PowerShell Module v2.1.4 has been included into this script (with permission and under GPL license) to remove the dependency of the AD PowerShell Module when querying objects in AD. The
- v3.0, 2022-05-27, Jorge de Almeida Pinto [MVP-EMS]:
- Bug Fix: Changed variable from $pwd to $passwd
- Bug Fix: Variable used in single-quoted string. Wrapped in double-quote to fix
- Bug Fix: Fix missing conditions and eventually credentials when connecting to a remote untrusted AD forest
- Code Improvement: Minor improvements through scripts
- Code Improvement: Changed variable from $passwordNrChars to $passwdNrChars
- Code Improvement: Updated function confirmPasswordIsComplex
- Code Improvement: Instead of assuming the “Max Tgt Lifetime In Hours” And the “Max Clock Skew In Minutes” is configured in the Default Domain GPO policy (the default)
It now performs an RSoP to determine which GPO provides the authoritative values, and then uses the values from that GPO - Code Improvement: Added check for required PowerShell module on remote RWDC when running Invoke-Command CMDlet
- Code Improvement: Added function ‘requestForAdminCreds’ to request for admin credentials
- Improved User Experience: Specifically mentioned the requirement for the ADDS PoSH CMDlets and the GP PoSH CMDlets
- Improved User Experience: Checking AD forest existence through RootDse connection in addition to DNS resolution
- Code Improvement: Added a variable for connectionTimeout and changed the default of 500ms to 2000ms
- v2.9, 2021-05-04, Jorge de Almeida Pinto [MVP-EMS]:
- Improved User Experience: Added additional info and recommendations
- New Feature: Added function to check UAC elevation status, and if not elevated to start the script automatically using an elevated PowerShell Command Prompt
–
HAVE FUN!
–
PS: Got any feedback or request, please use Github to report bugs or requests! Thanks!
–
Cheers,
Jorge
————————————————————————————————————————————————————-
This posting is provided “AS IS” with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### IAMTEC | Jorge’s Quest For Knowledge ##########################
#################### https://jorgequestforknowledge.wordpress.com/ ###################
————————————————————————————————————————————————————
Identity | Security | Recovery
————————————————————————————————————————————————————-
Jorge's Quest For Knowledge! 
BBag said
I think I’m missing something, how do you trigger modes 8 and 9?
LikeLike
BBag said
Ah, I was trying to specify it with the modeofoperation, but when i left that out, I see that the script prompts to choose the mode.
Thanks for all the work you put into this!
LikeLike
(2023-03-04) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 7) « Jorge's Quest For Knowledge! said
[…] « (2022-12-21) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (U… […]
LikeLike