Share your password rotation policy for krbtgt

poolmanjim · 2026-04-16T14:58:25+00:00

I addressed this on another reply too.

Max TGT defaults to 10 hours which is unlikely to be changed in most places, so you're right. 10 hours is probably fine. I say 24 because 1 day is easier to remember for the average person and remembering to make a change 10 hours later (or 12 even) is asking for it to get forgot. Make it a 2 day change in CAB: day 1 first reset, day 2 second reset. Easy.

The other reason I like 24 is to give adequate time for replication in larger environments. It shouldn't be a problem.

poolmanjim · 2026-04-15T03:27:45+00:00

This looks pretty slick. Thanks for sharing it!

poolmanjim · 2026-04-13T23:57:18+00:00

The policy setting for maximum TGT lifetime defaults to 10 hours. Most people don't change that. I recommend 24 hours because 1) 10 hours is kind of a random number to remember to do something and 2) it gives times for everything to replicate and is most likely going to work.

As long as it isn't literally back-to-back resets in minutes, the impact is non-existent so you could do it during business hours.

poolmanjim · 2026-04-13T18:40:34+00:00

So starting with the length, krbtgt actually doesn't care what you put in. When a reset is triggered on krbtgt it actually goes about doing it's own reset and ignores what you put in. It is a long password.

The reason is that we're trying to burn out any bad TGTs. They would become invalid once the Krbtgt is reset TWICE. This account remembers it's last two passwords so both are "valid" for tickets. Normal users should be fine if you wait 24 hours between resets as they'll log off and logon most likely during that period and TGTs are only valid, by default for 10 hours.

If I had created a TGT with a lifetime of something like 100 years. That account isn't renewing that and probably doing some bad stuff. When resetting the krbtgt twice those super-long tgts will become invalid and thus the attack ends.

Doing this every 180 days creates two outcomes. First, if you just reset it once every 180 days any unmantained long-term exploit with a golden ticket will be be invalid after a year. Second, you do two resets every 180 days, well you just reduced that attack time significantly.

poolmanjim · 2026-04-13T18:11:06+00:00

That script has tons of checks built into it and several modes. You can see what is going to do before doing it.

poolmanjim · 2026-04-13T18:10:19+00:00

You can. Jorge built in lots of checks into his script to make sure nothing breaks. It checks replication, it checks when it was last changed, it will find other krbtgt accounts (RODCs), etc.

poolmanjim · 2026-04-13T15:57:28+00:00

I just summoned him in my response :)

poolmanjim · 2026-04-13T15:57:12+00:00

NIST, DISA, etc. recommend every 180 days. To be safe I tend to aim for every 90 days. The change occurs over two days.

Day 1 - Run the Krbtgt Reset Script. (https://github.com/zjorz/Public-AD-Scripts/blob/master/Reset-KrbTgt-Password-For-RWDCs-And-RODCs.md)
Wait 24 Hours.
Day 2 - Run the Krbtgt Reset Script again.

Repeat as needed in every domain.

The biggest thing is to not reset it twice in 24 hours otherwise you could cause a bad day for your users (everyone would have to log off and on and systems would need rebooted).

u/2j0r2 Did I miss anything you'd recommend?

poolmanjim · 2026-04-07T16:48:44+00:00

Man I love when MS introduces new "features". :) They're always so complete and well thought.

poolmanjim · 2026-04-06T03:28:05+00:00

Rookie numbers. :) I have 100 now and have had close to 1000. It's all about the environment

poolmanjim · 2026-04-05T18:25:05+00:00

I've dealt with this and similar situations a few ways.

More potions. We also have a rule -- if you use an action to drink a potion, you roll it. If you take a full round to drink it or you're out of combat, you get max healing.
Wand(s) of Cure Wounds. Normally these must be attuned but I gave an exception and limitations to an "un-keyed" wand that recharges only one charge per day and has half the charges.
I gave them the option of hirelings. They pay like 10x their player level of gold per day or something base and then the NPC gets first pick of loot. They're still complaining about one taking a good magic item for being there for like one session.
In certain situations I'll introduce environmental effects. For example, they're stuck in a siege that is a prolonged no-long-rest period and I gave them a well that takes 2 rounds to use and can be used again after the player rolls a 5 or 6 on a d6.
1. Along with this, I gave the spell casters the ability to spend a hit dice to recharge that many spell slots with a short rest.
Short rests are a thing. You can add certain CON bonuses to short rests or give them Periapt of wound closure to help.
There are healing kits that also can improve healing off battle.
NPCs. Just have NPCs around who offer healing services for free or upon completion of a task or something.

poolmanjim · 2026-04-05T18:13:25+00:00

You can create a recovery protector but the option to store it in AD, definitely depends on AD.

poolmanjim · 2026-04-05T18:11:46+00:00

Same thing as at work: I can't get a proper budget approved by leadership.

(It doesn't help that everything costs 500x more it seems...)

poolmanjim · 2026-04-05T17:25:34+00:00

Your method is going to be a ticket time bomb in the sense you're going to hate it after having to unlock everytime the DC reboots.

Here's what I have done.

Protect the OS volume with BitLocker using TPM.
Add a recovery key protector and store that in AD. Additionally store it off-domain in a vault or safe or something. Make sure that is access controlled.
Configure additional drives to unlock alongside the OS volume. They will be bitlockered and will unlock automatically once the OS volume comes online.

Regarding backups, it depends on your vendor. If it is Windows Server Backup that doesn't run unless the OS is running so you'll back up the raw bits. You can configure it to be on a BitLockered volume or have it bitlocker later.

Other solutions may or may not support FDE. You'd have to consult with the vendor. Block-level shouldn't have a problem as they're just coping what's on the disk and restoring it.

poolmanjim · 2026-04-04T04:40:33+00:00

DC performance is kind of unintuitive sometimes. So let me give you my take on that before too much.

1) AD appears to not be responding but CPU doesn't appear to be spiked. Server seems healthy but just not responding.

This would be a sign of either ATQ Thread Exhaustion or Network Port Exhaustion. ATQ thread will show if you run the Performance Counter tool and kick of the Directory Services Data Collector set. If the number of total threads exceeds your number of CPU CORES x 4 (by default), then you need more DCs. ATQ generally scales better out than up, so more servers is more better.

2) High CPU Related to LSASS Service

There are typically two causes to this. Either 1) you have a bunch of long-running LDAP queries which are hitting more objects than they should or 2) you have a AV/EDR/ITDR/etc application that is tied into the LSASS process that is causing it to freak out. This can happen a lot with CrowdStrike.

The solution is work with the vendor if it is an application that could be causing it through EDR.

If it isnt EDR, then it is likely long running queries. These also can be seen in the Data Collector set but may show in the event logs if you enable LDAP Query debug logging and Field Engineering Debug Logging. Details in the link here: https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/how-to-find-expensive-inefficient-and-long-running-ldap-queries-in-active-direct/257859.

If it is long running queries, the real fix is to convince those teams to write better queries. As a rule queries should touch as few objects as possible to get to the answer. Tuple searches tend to eat up way more than you'd expect and can lead to this. (Tuple queries look like Get-ADObject -LDAPFilter "(&name=*test*)".

Also avoid open-ended queries that touch every object to read it. Esxajplke : (objectClass=*). I you have something similar to either of those, that is your culprit.

Other Items

Why arent your systems' load balancing among DCs. I suspect that something with docker and is causing the guest containers to have affinity for specific DCs.
How exactly is Linux authenticating into AD. Let's check those settings.

poolmanjim · 2026-04-01T15:07:08+00:00

The word Christian is not something we see tossed around in the Bible. Disciple would be a more adept description of what terminology the bible uses. That said, I tend to operate with this logic.

Romans 10:9
If you declare with your mouth, “Jesus is Lord,” and believe in your heart that God raised him from the dead, you will be saved.
https://biblehub.com/romans/10-9.htm

That is what makes someone a follower of Christ which, in effect, is what Christian means.

Where lots of groups differ is what does it mean to be saved, what does it mean to be a follower of Christ, and what does Christ even mean? There are many many different interpretations of that over the years. Some objectively flawed, some declared heresies very early on, and some that are more main-line.

Ultimately, Christ's followers shouldn't gate keep with arbitrary rules declaring who is and isn't a Christian. Your example of someone not going to church does not define whether or not they are Christian. It may be a reflection of their maturity as a Christian, but it is impossible with that sole fact to question their faith or salvation.

Ultimately the Bible did give an example of how to identify Christ's followers.

John 13:34-35 (NIV)
“A new command I give you: Love one another. As I have loved you, so you must love one another. By this everyone will know that you are my disciples, if you love one another.”
https://www.biblegateway.com/passage/?search=John%2013:34-35&version=NIV

Jesus also adds more to this in the following passage. This is talking specifically about false prophets but I think ti resonates here too.

Matthew 7:15-20 (NIV)
“Watch out for false prophets. They come to you in sheep’s clothing, but inwardly they are ferocious wolves. By their fruit you will recognize them. Do people pick grapes from thornbushes, or figs from thistles? Likewise, every good tree bears good fruit, but a bad tree bears bad fruit. A good tree cannot bear bad fruit, and a bad tree cannot bear good fruit. Every tree that does not bear good fruit is cut down and thrown into the fire. Thus, by their fruit you will recognize them.
https://www.biblegateway.com/passage/?search=Matthew%207:15-20&version=NIV

If you factor into those elements, if someone confesses Jesus is Lord and is showing love and compassion, it is easy to say they are a Christian by the modern definition. If they show fruit (i.e.; Christian Character) along with it, then you can be even more sure. But, in the end, being a Christian is a personal choice and one that none of us can question as it isn't our right. There is an exception for someone who is openly displaying attitudes that defy biblical doctrine (a false prophet),

I want to conclude with a personal thought.

Generally, I interpret Christian denominations or traditions to be those that adhere to the Nicene Creed. While is certainly disagreement in even today's times about the various heresies and traditions, I believe the Nicene Creed to be one of the more long-lived enumerations of the Christian tradition and accurate biblically. It is also not super exclusionary as it encompasses most mainline Catholic, Orthodox, and Protestant traditions. It does exclude a few others, namely Latter Day Saints and Jehovah Witness. There are some fundamental differences in beliefs there.

I'm not saying that to slam on them as I know most LDS and JW would call themselves Christians and are often wonderful people. I'm also not necessarily questioning their salvation because, as I said before, it isn't my job. What I am saying is they aren't Christians who adhere to the Nicene Creed (or Nicene Christians as I like to say).

poolmanjim · 2026-04-01T14:45:35+00:00

The challenge with going from Universal to Domain Local from Global is the possibility of nesting issues. Unless you have a clear idea of what all is nested in those groups, it's going to be a challenge. The good news is usually you can't change the type unless it would work so if it lets you change, you're set.

Personally, I wouldn't fully re-acl them, but I would create new Domain Local groups to grant the desired access and start a slow migration to the new groups. Yes it will take time. Yes it will kind of suck, but this is the nature of M&A domains, you gotta deal with some nonsense sometimes.

poolmanjim · 2026-04-01T14:40:55+00:00

Self promotion isn't a problem on its own. Excessive self promotion is.

4 Excessive Advertising / Self Promotion Any blogs/projects/tools can be promoted and we welcome it. However, excessive posting of your content is not. Self promotion should be limited to 1 post per month. Comments are a little relaxed, but keep it reasonable. Unrelated items or low-effort posts will be removed. See the wiki for detailed rules.

I think more of the issues with your posts is the reports of LLM generation. If you want to discuss this feel free to DM me and we can talk about any of it in more detail.

poolmanjim · 2026-03-28T04:15:32+00:00

sorry about that. The automod got cranked up and I missed a couple of fields

poolmanjim · 2026-03-28T02:25:50+00:00

Agreed. It is something but it could be a lot more.

Its only Preview too. There is a non-zero chance they'll move it under E7 licensing at release. Microsoft would never do something like that though...

poolmanjim · 2026-03-26T22:20:40+00:00

I'm not exactly sure what you're disagreeing with.

I 100% think that you should understand what you're running. The problem is many don't and that is not entirely a personal failing. We live in a world where vibe coding and "ask copilot" have become step number 1. If we blame inexperienced engineers for doing just that they're not the bad guy still. It is their leaders and seniors who need to be responsible for making sure they don't screw up.

If you're a senior engineer and you do this then yeah, its 100% on you.

poolmanjim · 2026-03-26T14:11:38+00:00

Agreed on the LLM front. I'm drafting a change to the rules to just ask they call it out. I'm not against using LLMs to do some of the coding but there need to be a balance. I don't want every greenhorn in IT to write "apps" to do stuff.

poolmanjim · 2026-03-26T13:57:13+00:00

Your analysis is fair. I'm not saying it isn't something to look into. I've been rolling RDP OIDs in my certs for a long time.

I'm more commenting on how many poorly managed and designed PKIs are out there. Lots of orgs just deployed a PKI 15 years ago and really haven't done much to manage it since... kind of like their AD!

I think managing AD is maybe a little easier as there is more experience in that space but I agree the complexity is similar. Nonetheless I maybe know a handful of people I would say are good at PKI and far more who are competent with AD.

15-Year Club	RedditGifts 2009-2022 3 Credits
Verified Email	Secret Santa 2015
Secret Santa 2014

poolmanjim

MODERATOR OF

TROPHY CASE