Otdfbt

Construct a word ladder

Is the field of q-series 'dead'?

Which is the common name of Mind Flayers?

How to respond to an upset student?

Is "cool" appropriate or offensive to use in IMs?

Is CD audio quality good enough?

Would jet fuel for an F-16 or F-35 be producible during WW2?

Find limit in use of integrals

Is real public IP Address hidden when using a system wide proxy in Windows 10?

Pirate democracy at its finest

Is it true that cut time means "play twice as fast as written"?

Why do airplanes use an axial flow jet engine instead of a more compact centrifugal jet engine?

What are these arcade games in Ghostbusters 1984?

Employer demanding to see degree after poor code review

My employer faked my resume to acquire projects

Looking for a soft substance that doesn't dissolve underwater

Why were helmets and other body armour not commonplace in the 1800s?

Should one buy new hardware after a system compromise?

Computing the matrix powers of a non-diagonalizable matrix

Text at the right of icon

Why do Windows registry hives appear empty?

What is a Centaur Thief's climbing speed?

Have 1.5% of all nuclear reactors ever built melted down?

What are the real benefits of using Salesforce DX?

PowerShell error message for script to reset krbtgt account password/keys

PowerShell to reset local Administrator account password. 5% failuresGPO: Run PowerShell logon script after explorer.exe has been loadedHow can I get SeSecurityPrivilege enabled?How to interactively change the password of a user account on a remote windows machine (in the same LAN) from a local machine's command line prompt?Run logon command as administrator Windows 10Get-WmiCounter Win32_PerfFormattedData_NETFramework_NETCLRMemory Incomplete in non admin contextPowerShell script using Bits-Transfer does not work as Scheduled TaskGPO for PS1 logon script does not work without local admin rights for userServer 2008R2, startup/shutdown powershell scripts in gpedit.msc not working and not appearing in registry. Script works manually. No domain involvedPassword reset script error

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

We're trying to reset our krbtgt password/keys using the PowerShell script provided by Microsoft, obtained from here:

https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-fBZQOeWqTO1IENsFZImkRg&epi=TnL5HPStwNw-fBZQOeWqTO1IENsFZImkRg&irgwc=1&OCID=AID681541_aff_7593_1243925&tduid=(ir__b1osrdblekkfrnt10ckzh9lp2u2xmqfdv31my0xm00)(7593)(1243925)(TnL5HPStwNw-fBZQOeWqTO1IENsFZImkRg)()&irclickid=_b1osrdblekkfrnt10ckzh9lp2u2xmqfdv31my0xm00

However, we're getting the following error message when running it:

"Krbtgt reset failed. Check to ensure you have sufficient rights to reset the krbtgt account. Replication will be skipped"

We ran the script as an administrator and logged in as a user with admin rights to the server. Can anyone please give us tips on where the potential problem could be?

windows-server-2008-r2 powershell kerberos

share|improve this question

asked May 13 at 20:28

7290990372909903

42

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  You say "administrator" and "admin", but you don't say "Domain Administrator" or "Domain Admin". The instructions are very clear about the authority required, and "admin rights to the server" are not the same as "admin rights to the domain". Regardless, its clear you are not running it with "sufficient rights" so you need to focus in that area.
  
  – Larryc
  May 14 at 8:24
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I confirmed the account used to run the script is in the domain admins security group. Still getting the error message. Perhaps a GPO is causing this?
  
  – 72909903
  May 16 at 1:29
  

  
  
  
  

add a comment | 

0

We're trying to reset our krbtgt password/keys using the PowerShell script provided by Microsoft, obtained from here:

https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-fBZQOeWqTO1IENsFZImkRg&epi=TnL5HPStwNw-fBZQOeWqTO1IENsFZImkRg&irgwc=1&OCID=AID681541_aff_7593_1243925&tduid=(ir__b1osrdblekkfrnt10ckzh9lp2u2xmqfdv31my0xm00)(7593)(1243925)(TnL5HPStwNw-fBZQOeWqTO1IENsFZImkRg)()&irclickid=_b1osrdblekkfrnt10ckzh9lp2u2xmqfdv31my0xm00

However, we're getting the following error message when running it:

"Krbtgt reset failed. Check to ensure you have sufficient rights to reset the krbtgt account. Replication will be skipped"

We ran the script as an administrator and logged in as a user with admin rights to the server. Can anyone please give us tips on where the potential problem could be?

windows-server-2008-r2 powershell kerberos

share|improve this question

asked May 13 at 20:28

7290990372909903

42

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  You say "administrator" and "admin", but you don't say "Domain Administrator" or "Domain Admin". The instructions are very clear about the authority required, and "admin rights to the server" are not the same as "admin rights to the domain". Regardless, its clear you are not running it with "sufficient rights" so you need to focus in that area.
  
  – Larryc
  May 14 at 8:24
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I confirmed the account used to run the script is in the domain admins security group. Still getting the error message. Perhaps a GPO is causing this?
  
  – 72909903
  May 16 at 1:29
  

  
  
  
  

add a comment | 

We're trying to reset our krbtgt password/keys using the PowerShell script provided by Microsoft, obtained from here:

https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-fBZQOeWqTO1IENsFZImkRg&epi=TnL5HPStwNw-fBZQOeWqTO1IENsFZImkRg&irgwc=1&OCID=AID681541_aff_7593_1243925&tduid=(ir__b1osrdblekkfrnt10ckzh9lp2u2xmqfdv31my0xm00)(7593)(1243925)(TnL5HPStwNw-fBZQOeWqTO1IENsFZImkRg)()&irclickid=_b1osrdblekkfrnt10ckzh9lp2u2xmqfdv31my0xm00

However, we're getting the following error message when running it:

"Krbtgt reset failed. Check to ensure you have sufficient rights to reset the krbtgt account. Replication will be skipped"

We ran the script as an administrator and logged in as a user with admin rights to the server. Can anyone please give us tips on where the potential problem could be?

windows-server-2008-r2 powershell kerberos

share|improve this question

asked May 13 at 20:28

7290990372909903

42

share|improve this question

asked May 13 at 20:28

7290990372909903

42

share|improve this question

asked May 13 at 20:28

7290990372909903

42

asked May 13 at 20:28

7290990372909903

42

asked May 13 at 20:28

7290990372909903

42

2 Answers
2

active

oldest

votes

0

Important- Verify replication between all DC's involved.

Equally important- verify time synchronization between them as well.

I mentioned your issue to a couple friends and they suggest trying
this Script.

share|improve this answer

answered May 17 at 7:15

LarrycLarryc

22614

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks LarryC. Unfortunately I can't reach that link from where I work but will try to check it out later. Our environment has only one DC (for now). We're starting to suspect that something on the server is blocking the input of the complex password generated by the script, for the krbtgt account. I checked the GPOs for PW complexity and no issues there. In the script, line 151, is the function 'New-CtmADKrbtgtAccountPassword' which resets the PW for the krbtgt account. Note the error message on line 159, 'Krbtgt key reset failed due to insufficient permissions.'
  
  – 72909903
  May 20 at 18:27
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  (cont'd from previous comment) That's not the error message we're receiving. The error message we're getting is from line 453, 'Krbtgt reset failed. Check to ensure you have sufficient rights to reset the krbtgt account. Replication will be skipped' That error message appears to be a more broad, general error message. So don't believe it's a permissions issue, it must be something on the server that's denying the resetting of the krbtgt account PW reset. And the account I'm running this script under is the same account we use to do PW resets...
  
  – 72909903
  May 20 at 18:35
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  (cont'd from previous comment) Perhaps this cmdlet on line 155 is what the server doesn't like: Try Set-ADAccountPassword -Identity (Get-ADUser krbtgt -Server $Server).DistinguishedName -Server $Server -Reset -NewPassword (ConvertTo-SecureString ((New-CtmADComplexPassword 32).ToString()) -AsPlainText -Force)
  
  – 72909903
  May 20 at 18:40
  

  
  
  
  

add a comment | 

0

Discovered that the issue was caused by a 3rd party password filter that was active on the DC called "enpasflt".

Simply disable the "enpasflt" password filter by going to this Registry key:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSANotification Packages

Remove any reference to "enpasflt" there, then reboot the server. The script should then execute successfully.

Reference for enpasflt:

https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2012-07-02/finding/V-1131

share|improve this answer

answered May 22 at 0:08

7290990372909903

42

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f967099%2fpowershell-error-message-for-script-to-reset-krbtgt-account-password-keys%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

Important- Verify replication between all DC's involved.

Equally important- verify time synchronization between them as well.

I mentioned your issue to a couple friends and they suggest trying
this Script.

share|improve this answer

answered May 17 at 7:15

LarrycLarryc

22614

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks LarryC. Unfortunately I can't reach that link from where I work but will try to check it out later. Our environment has only one DC (for now). We're starting to suspect that something on the server is blocking the input of the complex password generated by the script, for the krbtgt account. I checked the GPOs for PW complexity and no issues there. In the script, line 151, is the function 'New-CtmADKrbtgtAccountPassword' which resets the PW for the krbtgt account. Note the error message on line 159, 'Krbtgt key reset failed due to insufficient permissions.'
  
  – 72909903
  May 20 at 18:27
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  (cont'd from previous comment) That's not the error message we're receiving. The error message we're getting is from line 453, 'Krbtgt reset failed. Check to ensure you have sufficient rights to reset the krbtgt account. Replication will be skipped' That error message appears to be a more broad, general error message. So don't believe it's a permissions issue, it must be something on the server that's denying the resetting of the krbtgt account PW reset. And the account I'm running this script under is the same account we use to do PW resets...
  
  – 72909903
  May 20 at 18:35
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  (cont'd from previous comment) Perhaps this cmdlet on line 155 is what the server doesn't like: Try Set-ADAccountPassword -Identity (Get-ADUser krbtgt -Server $Server).DistinguishedName -Server $Server -Reset -NewPassword (ConvertTo-SecureString ((New-CtmADComplexPassword 32).ToString()) -AsPlainText -Force)
  
  – 72909903
  May 20 at 18:40
  

  
  
  
  

add a comment | 

0

Important- Verify replication between all DC's involved.

Equally important- verify time synchronization between them as well.

I mentioned your issue to a couple friends and they suggest trying
this Script.

share|improve this answer

answered May 17 at 7:15

LarrycLarryc

22614

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks LarryC. Unfortunately I can't reach that link from where I work but will try to check it out later. Our environment has only one DC (for now). We're starting to suspect that something on the server is blocking the input of the complex password generated by the script, for the krbtgt account. I checked the GPOs for PW complexity and no issues there. In the script, line 151, is the function 'New-CtmADKrbtgtAccountPassword' which resets the PW for the krbtgt account. Note the error message on line 159, 'Krbtgt key reset failed due to insufficient permissions.'
  
  – 72909903
  May 20 at 18:27
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  (cont'd from previous comment) That's not the error message we're receiving. The error message we're getting is from line 453, 'Krbtgt reset failed. Check to ensure you have sufficient rights to reset the krbtgt account. Replication will be skipped' That error message appears to be a more broad, general error message. So don't believe it's a permissions issue, it must be something on the server that's denying the resetting of the krbtgt account PW reset. And the account I'm running this script under is the same account we use to do PW resets...
  
  – 72909903
  May 20 at 18:35
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  (cont'd from previous comment) Perhaps this cmdlet on line 155 is what the server doesn't like: Try Set-ADAccountPassword -Identity (Get-ADUser krbtgt -Server $Server).DistinguishedName -Server $Server -Reset -NewPassword (ConvertTo-SecureString ((New-CtmADComplexPassword 32).ToString()) -AsPlainText -Force)
  
  – 72909903
  May 20 at 18:40
  

  
  
  
  

add a comment | 

Important- Verify replication between all DC's involved.

Equally important- verify time synchronization between them as well.

I mentioned your issue to a couple friends and they suggest trying
this Script.

share|improve this answer

answered May 17 at 7:15

LarrycLarryc

22614

share|improve this answer

answered May 17 at 7:15

LarrycLarryc

22614

answered May 17 at 7:15

LarrycLarryc

22614

answered May 17 at 7:15

LarrycLarryc

22614

0

Discovered that the issue was caused by a 3rd party password filter that was active on the DC called "enpasflt".

Simply disable the "enpasflt" password filter by going to this Registry key:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSANotification Packages

Remove any reference to "enpasflt" there, then reboot the server. The script should then execute successfully.

Reference for enpasflt:

https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2012-07-02/finding/V-1131

share|improve this answer

answered May 22 at 0:08

7290990372909903

42

add a comment | 

0

Discovered that the issue was caused by a 3rd party password filter that was active on the DC called "enpasflt".

Simply disable the "enpasflt" password filter by going to this Registry key:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSANotification Packages

Remove any reference to "enpasflt" there, then reboot the server. The script should then execute successfully.

Reference for enpasflt:

https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2012-07-02/finding/V-1131

share|improve this answer

answered May 22 at 0:08

7290990372909903

42

add a comment | 

Discovered that the issue was caused by a 3rd party password filter that was active on the DC called "enpasflt".

Simply disable the "enpasflt" password filter by going to this Registry key:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSANotification Packages

Remove any reference to "enpasflt" there, then reboot the server. The script should then execute successfully.

Reference for enpasflt:

https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2012-07-02/finding/V-1131

share|improve this answer

answered May 22 at 0:08

7290990372909903

42

share|improve this answer

answered May 22 at 0:08

7290990372909903

42

answered May 22 at 0:08

7290990372909903

42

answered May 22 at 0:08

7290990372909903

42