GithubHelp home page GithubHelp logo

m2021acct / krbtgt Goto Github PK

View Code? Open in Web Editor NEW

This project forked from pssectools/krbtgt

0.0 0.0 0.0 94 KB

Module to update the Krbtgt password

License: MIT License

PowerShell 99.96% C# 0.04%

krbtgt's Introduction

Krbtgt

Welcome to the project to deliver on all your Krbtgt account password reset issues.

How to use

Reset-KrbPassword

And that's all you need ... unless you need to reset the krbtgt account for Read Only DCs, in which case you'll also want to use this:

Reset-KrbRODCPassword

Prerequisites

  • All Domain Controllers need to be manageable by WinRM & PowerShell Remoting
  • Modules required on the executing computer:
    • Active Directory Module
    • PSFramework Module
    • Group Policy Module (optional)

The Procedure

For the full krbtgt password reset, Reset-KrbPassword will perform the following operations:

  • Retrieve the krbtgt account and check, whether it is safe to reset the password
    • It checks the PwdLastSet property for the last time it was reset
    • It checks group policy for the Kerberos configuration to calculate the next safe reset time (valid ticket duration + 2x Time Skew)
    • This validation can be disabled using the -Force parameter (Note: Doing so will have a HUGE impact on most production environments)
  • Perform a test password reset with a dummy account
    • Creates a temporary account and ensures, the password reset is properly replciated using the same tools as the main reset will be using.
  • Reset the krbtgt account password on the PDC Emulator
  • Force all DCs in the domain to do a single object replication of the krbtgt account against the PDC

Logging

The entire procedure is automatically logged using the PSFramework module.

All actions are logged to memory and can be retrieved using:

Get-PSFMessage

Furthermore, it will automatically create a debug log that is by default written to AppData of the executing user. To access the specific path it will write to, execute the following line:

Get-PSFConfigValue -FullName PSFramework.Logging.FileSystem.LogPath

Logs are (by default) retained for 7 days. This logging can be extended to log to persisted files are straight to your SIEM solution of choice. For more details on this system, see PSFramework Quickstart Guide to Logging.

More Tools

  • Use Test-KrbPasswordReset in order to do just the test run without any action.
  • Use Get-KrbAccount to retrieve information on the krbtgt account.

krbtgt's People

Contributors

friedrichweinmann avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.