Hey everyone! I'm rerunning PingCastle after a few months and noticed I've got an extra 50 points deducted for the Kerberos password age check. I confirmed that the password was changed back in February, and the PwdLastSet shows this date. Has anyone encountered a similar issue? Last time I checked, the report was fine after I reset it, but now it shows the age as an outrageous 729580 days!
3 Answers
Make sure to verify the password age across all your Domain Controllers just to be thorough. You never know what might be different on them!
If you're okay with it, just delete that line item or mark it as resolved. It's better to focus on the next thing that needs fixing instead of getting stuck on this.
Are you referring to the krbtgt account? You might want to check if you cycled the password twice when you changed it. It's usually recommended to wait a day between each change because the system trusts tokens issued with both the current and previous passwords. This ensures a complete password cycle. I usually use a script for this; it helps avoid potential issues. Here's a solid one you can check out: github.com/zjorz/Public-AD-Scripts/blob/master/Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1.
Good point! I’ll consider just marking it as remediated if it's not affecting anything.