deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #4773 from MicrosoftGuyJFlo/patch-3

Browse Source 
[ADDS] Update from PG
This commit is contained in:
Daniel Simpson
2019-08-26 12:31:59 -07:00
committed by GitHub
parent 0a620276c7 b22cc39af2
commit 77eade582d
1 changed files with 2 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/identity-protection/access-control/active-directory-accounts.md
View File

@ -12,7 +12,7 @@ manager: dansimp
ms.collection: M365-identity-device-management ms.collection: M365-identity-device-management
ms.topic: article ms.topic: article
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 04/19/2017 ms.date: 08/23/2019
ms.reviewer: ms.reviewer:
--- ---
@ -330,9 +330,7 @@ Windows Server Kerberos authentication is achieved by the use of a special Kerbe
### KRBTGT account maintenance considerations ### KRBTGT account maintenance considerations
A strong password is assigned to the KRBTGT account automatically. Be sure that you change the password on a regular schedule. The password for the KDC account is used to derive a secret key for encrypting and decrypting the TGT requests that are issued. The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets. A strong password is assigned to the KRBTGT and trust accounts automatically. Like any privileged service accounts, organizations should change these passwords on a regular schedule. The password for the KDC account is used to derive a secret key for encrypting and decrypting the TGT requests that are issued. The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets.
On occasion, the KRBTGT account password requires a reset, for example, when an attempt to change the password on the KRBTGT account fails. In order to resolve this issue, you reset the KRBTGT user account password twice by using Active Directory Users and Computers. You must reset the password twice because the KRBTGT account stores only two of the most recent passwords in the password history. By resetting the password twice, you effectively clear all passwords from the password history.
Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority. Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.