This script leverges the script provided by Microsoft and can be used for password changing. This original script can be found here.
The script leverages the powershell cmdlet "Invoke-Command". In order for the script to work, the environment and user that's running the script must be able to remote into the target machine.
For help with environment setup, go here.
- Create Script in Secret Server (Powershell)
- Go to Admin -> Scripts
- Under the "Powershell" tab, click "Create New"
- Copy the Script "KRBTGT Secret Server Script.ps1" and click "Ok"
- Create Password Type that uses the Script that was created.
- Go to Admin -> Remote Password Changing
- Click "Configure Password Changing"
- Click "New"
- Select "Powershell Script" as the Base Password Changer, enter name and save. ("Example: KRBTGT Password Change)
- Under "Password Change Commands" select the script created and enter the following as args:
-InvokeMachine $INVOKE MACHINE -targetAdforest $TARGET AD FOREST -targetaddomain $TARGET AD DOMAIN -accountscope $Account Scope -dcaccountlist $AD Domain Controller Account(s) -username $[1]$USERNAME -password $[1]$PASSWORD -runoption $RUN OPTION -logpath $LOG PATH
- Save
- Create a Secret Template that using the Password type previously created.
(To Import the Secret Template click here)
-
Go to Admin -> Secret Templates
-
Click "Create New"
-
Create the following Secret Fields
- "Invoke Machine" -> Machine to Invoke Into
- "Target AD Forest" -> Target AD Forest - (Can be empty)
- "Target AD Domain" -> Target AD Domain - (Can be empty)
- "Account Scope" -> Script Scope to run 1 - 4
- 1 - Scope of KrbTgt in use by all RWDCs in the AD Domain (DEFAULT)***
- 2 - Scope of KrbTgt in use by specific RODC - Single RODC in the AD Domain
- 3 - Scope of KrbTgt in use by specific RODC - Multiple RODCs in the AD Domain
- 4 - Scope of KrbTgt in use by specific RODC - All RODCs in the AD Domain
- "AD Domain Controller Account(s)" -> AD Domain Controller Account to Target
- "Run Option" -> Run Option
- 1 - Informational Mode (No Changes At All)
- 2 - Simulation Mode (Temporary Canary Object Created, No Password Reset!)
- 3 - Simulation Mode - Use KrbTgt TEST/BOGUS Accounts (Password Will Be Reset Once!)
- 4 - Real Reset Mode - Use KrbTgt PROD/REAL Accounts - (Password Will Be Reset Once!) (DEFAULT)***
- 8 - Create TEST KrbTgt Accounts
- 9 - Cleanup TEST KrbTgt Accounts
- 0 - Exit Script
- "Log Path" -> Desired Log Path (will log to "Invoke Machine")
- "Fake Password" -> Fake Password (Secret Server Workaroud)
-
Click "Configure Password Changing
-
Click "Edit"
-
Check "Enable Password Changing
-
Select the Password Type from above for "Password Type To Use"
-
Fill in other password change setting desired.
-
Save
-