KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966 - Microsoft Support<\/a><\/p>\nThe account is supposed to be disabled, so that’s not an issue.<\/p>\n
If you never have, definitely rotate the krbtgt account password using the script from the link in the post above.<\/p>","upvoteCount":5,"datePublished":"2025-07-23T22:01:50.548Z","url":"https://community.spiceworks.com/t/krbtgt-account-change-password/1226307/5","author":{"@type":"Person","name":"phildrew","url":"https://community.spiceworks.com/u/phildrew"}},{"@type":"Answer","text":"
Not to mention that if you upgrade to a current version of Windows Server for a domain controller, it will blow up authentication if you have a KRBTGT password that was created with old cryptography methods. Definitely rotate twice as suggested. Absolutely wait a minimum of 10 hours. I tell people a day just to play it safe.<\/p>","upvoteCount":5,"datePublished":"2025-07-24T02:37:00.757Z","url":"https://community.spiceworks.com/t/krbtgt-account-change-password/1226307/6","author":{"@type":"Person","name":"PatrickFarrell","url":"https://community.spiceworks.com/u/PatrickFarrell"}},{"@type":"Answer","text":"\n\n
<\/div>\n
phildrew:<\/div>\n
\nusing the script from the link above<\/p>\n<\/blockquote>\n<\/aside>\n
Are you referring to the link posted by questbahlin<\/strong> or your own?<\/p>","upvoteCount":4,"datePublished":"2025-07-24T14:22:32.739Z","url":"https://community.spiceworks.com/t/krbtgt-account-change-password/1226307/7","author":{"@type":"Person","name":"jarmbrister","url":"https://community.spiceworks.com/u/jarmbrister"}},{"@type":"Answer","text":"Link from the post above mine - fixed the wording.<\/p>\n
Thanks!<\/p>","upvoteCount":4,"datePublished":"2025-07-24T14:25:03.539Z","url":"https://community.spiceworks.com/t/krbtgt-account-change-password/1226307/8","author":{"@type":"Person","name":"phildrew","url":"https://community.spiceworks.com/u/phildrew"}}]}}
I have a client that has lots of these events in the system eventlog.
6 Spice ups
I’m sure helpful advice will be incoming shortly. However, you may want to sanitize the screenshot for your client’s privacy.
6 Spice ups
Thanks, I thought I had a clean screenshot.
3 Spice ups
It’s pretty normal for the krbtgt account to be disabled, however the password should still be rotated (twice, separated by 24 hours) every 180 days. Here’s a great writeup on this:
5 Spice ups
phildrew
July 23, 2025, 10:01pm
5
Pretty sure that’s going to be this: KB5021131: How to manage the Kerberos protocol changes related to CVE-2022-37966 - Microsoft Support
The account is supposed to be disabled, so that’s not an issue.
If you never have, definitely rotate the krbtgt account password using the script from the link in the post above.
5 Spice ups
Not to mention that if you upgrade to a current version of Windows Server for a domain controller, it will blow up authentication if you have a KRBTGT password that was created with old cryptography methods. Definitely rotate twice as suggested. Absolutely wait a minimum of 10 hours. I tell people a day just to play it safe.
5 Spice ups
Are you referring to the link posted by questbahlin or your own?
4 Spice ups
phildrew
July 24, 2025, 2:25pm
8
Link from the post above mine - fixed the wording.
Thanks!
4 Spice ups
![\"servererror\"](\"https://us1.discourse-cdn.com/spiceworks/original/4X/0/f/a/0fa7208eb4c4bab3326b9de3cfb56686b170197b.png\")