This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation.
Found an issue where in a trusted domain, the Get-GpoReport gets the Max TGT LifeTime and Max Clock Skew as empty/Null. Which causes the second iteration of the script to reset the krbtgt password as the check for the last time password was set difference to currenttime succeeds and no warning is presented with "MAJOR Impact".
I was able to add an additional check to make sure the Max TGT LifeTime is not Null to ensure that is not missed and the second iteration just succeeds.
If ($targetedADdomainMaxTgtLifetimeHrs -eq $null)
{
Logging " --> Max TGT Lifetime (Hours)..............: 'This was determined to be null. Ensure to run the script from a computer joined to appropriate forest'" "WARNING"
Logging " --> EXITING SCRIPT "
Sleep 20
EXIT
}
...................
Interestingly later debugging, i was also able to see this peculiar behaviour with Get-GpoReport which seems to behave in a bad fashion.
if i use a domain controller FQDN for the $targetedADdomainFQDN it seems to come up with empty for the MAXTgTLifetime and other values.
I also examined the XML and saw that it was coming as "BLOCKED" which was weird. Just wanted to apprise of this happening and i was able to add an additional roadblock if it reported as NULL.
Found an issue where in a trusted domain, the Get-GpoReport gets the Max TGT LifeTime and Max Clock Skew as empty/Null. Which causes the second iteration of the script to reset the krbtgt password as the check for the last time password was set difference to currenttime succeeds and no warning is presented with "MAJOR Impact".
[2021-05-26 17:51:04] : Max TGT Lifetime (Hours)..............: '' [2021-05-26 17:51:04] : Max Clock Skew (Minutes)..............: '' [2021-05-26 17:51:04] : TGT Lifetime/Clock Skew Sourced From..: 'Default Domain GPO'
I was able to add an additional check to make sure the Max TGT LifeTime is not Null to ensure that is not missed and the second iteration just succeeds.
...................
Interestingly later debugging, i was also able to see this peculiar behaviour with Get-GpoReport which seems to behave in a bad fashion.
the Fix was to use
[xml]$gpoObjXML = Get-GPOReport -Domain $targetedADdomainFQDN -Guid '{31B2F340-016D-11D2-945F-00C04FB984F9}' -ReportType Xml -Server $targetedADdomainFQDN
if i use a domain controller FQDN for the $targetedADdomainFQDN it seems to come up with empty for the MAXTgTLifetime and other values.
I also examined the XML and saw that it was coming as "BLOCKED" which was weird. Just wanted to apprise of this happening and i was able to add an additional roadblock if it reported as NULL.