(2023-03-04) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 7)
Posted by Jorge on 2023-03-04
e time ago I wrote a PowerShell script to reset the KrbTgt Account Password of both RWDCs and RODCs.
–
More information can be found through the following link:
- (2018-12-30) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs
- (2019-02-12) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 1)
- (2019-02-25) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 2)
- (2020-02-10) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 3)
- (2020-02-18) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 4)
- (2020-04-06) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 5)
- (2022-12-21) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 6)
This new version has a MINOR bug fix, related to a bug in the S.DS.P. DLLs reporting an incorrect FFL/DFL when either one is running 2016.
The script itself can be downloaded through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs (PS1). If you want to use one of the new features to e-mail the log file, then you also need the XML that stores the mail-related settings. You can download the XML through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs (XML)
–
Since the last time, the script was published, the following changes were made:
- v3.4, 2023-03-04, Jorge de Almeida Pinto [MVP-EMS]:
- – Bug Fix: The PowerShell CMDlets from the ActiveDirectory module DO recognize the 2016 FFL and DFL. The script DOES NOT use those anymore, but instead uses S.DS.P.. The issue appears to be that MSFT did update the ActiveDirectory PowerShell module to recognize the 2016 FFL/DFL, but they apparently did not update the S.DS.P. DLLs to do the same. The script itself now detects this and reports the correct FFL/DFL when it is 2016
–
HAVE FUN!
–
PS: Got any feedback or request, please use Github to report bugs or requests! Thanks!
–
Cheers,
Jorge
————————————————————————————————————————————————————-
This posting is provided “AS IS” with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### IAMTEC | Jorge’s Quest For Knowledge ##########################
#################### https://jorgequestforknowledge.wordpress.com/ ###################
————————————————————————————————————————————————————
Identity | Security | Recovery
————————————————————————————————————————————————————-
Jorge's Quest For Knowledge! 
Leave a Reply