Closed aakash-shah closed 4 years ago
aakash-shah
commented
4 years ago I just noticed that the older v1.7 script appears much simpler and easier to read, and helps quickly point out that it is not safe/time to perform a second reset:
"Checking if all tickets based on the previous (N-1) krbtgt key have expired.....FAILED"
Please consider adding this functionality into v2.5, and consider simplifying the output of v2.5 like how 1.7 is.
Thanks.
cchapin-ms
commented
4 years ago @aakash-shah - Thanks for the feedback on the script and look at incorporating in a future release.
The time calculated as safe to perform the second password change is the value in "Date/Time N-1 Kerberos Tickets". The script logic does warn "MAJOR DOMAIN WIDE IMPACT' if the current date/time is before the expiration date/time and ask if you to confirm continuing with the change.
It would be helpful if the script provided information on when it would be considered safest to reset the krbtgt password a second time if we are looking to minimize impact on the domain? Do I understand this to be the datetime specified under "Date/Time N-1 Kerberos Tickets"? If so, it would be helpful to state this, and to provide additional guidance if attempting to reset a second time within this timeframe that there may be an impact. And if resetting past this timeframe, to clarify that sufficient time has password and it is safe to perform a second reset with minimal impact.
I noticed this with the v2 script.
Thanks.