mwtrigg
commented
6 years ago I was able to workaround this issue (failing krbtgt password reset/rotation), by simply disabling the OPF Service on the PDCemulator, and processing the password reset directly on the PDCemulator, then restarting the service.
I would like to point out that simply using a more complex password in the password reset field isn't an option. I have included this relevant text from the referenced website to ensure that the information is still accessible in the event of a broken link:
Problem: If a custom password filter (i.e., passfilt.dll) is installed on a domain controller you may receive the following error when trying to change the password for the krbtgt account. 0xc000006c STATUS_PASSWORD_RESTRICTION
More Information: This occurs because there is special logic when changing the password for krbtgt. While the Active Directory Users and Computers (dsa.msc) snap-in allows you to enter a password, it won't be used when changing the password. Instead, the Active Directory creates a very long string of random bits to use as the password. Since this string contains random data and not Unicode characters, it fails the typical tests included in password filters. These tests typically include checking to see if password contains a certain combination of upper and lower case letters, numbers, and punctuation.
Workaround: To workaround this issue either include a test for random data or special case the account name krbtgt and return TRUE indicating that the password meets the required complexity.
I will close the issue owing to lack of enthusiasm, and the fact that there is a workaround (that at least works for me).
brockrob
ForumSchlampe
solardiz
As noted here, https://support.microsoft.com/en-us/help/2549833/changing-the-krbtgt-password-may-fail-when-a-custom-password-filter-is, a special exception needs to be created to ensure that the password check returns true for the krbtgt user account.