Re: krbtgt Account

From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
Date: Mon, 5 Jun 2006 17:46:39 -0700

It is normal to see that account disabled.

As its properties state, it is used for the KDC service, which
is the heart of Kerberos, the default auth technology in AD.

You are posting into the W2k newsgroups, so I assume your DCs are
W2k. If your domain is W2k3 based, then there is utility to reset the
two default GPOs back to their as first set up state
dcgpofix /?

It might be worth considering, if you have just inherited a potentially
mismanaged AD to get to a know state. In general I recommend that
people define GPOs and make their policy adjustments in them rather
than using the two shipped default GPOs.
IIRC there are now KB articles outlining resetting of these for a W2k.

You could first copy the existing to new GPOs (using GPMC on an
XP or W2k3), link these at domain and DC OU with higher priority
than the default GPOs, then revert the defaults. Then, using the report
capability after getting reports for the copied and the reverted you
could do simple text/xml compare to see what they had changed.
etc.
Roger
"George Schneider" <georgedschneider@xxxxxxxxxxxxxx> wrote in message
news:D4DE2D68-36C1-4578-A0EA-DD1C540F1365@xxxxxxxxxxxxxxxx

The previous network admin had disabled it. I was wondering if I should
have
it enabled. What does this account do?

"Roger Abell [MVP]" wrote:

Leave the account as it is.
This is the credential under which the issuance of initial Kerberos
service tickets happens.

"George Schneider" <georgedschneider@xxxxxxxxxxxxxx> wrote in message
news:EE83BD50-A084-4CB2-AF84-5740E87F9F7B@xxxxxxxxxxxxxxxx

Currently in our domain the krntgt user account is diabled. Should this
account be enabled?

Follow-Ups:
- Re: krbtgt Account
  - From: Vincent Xu [MSFT]

References:
- Re: krbtgt Account
  - From: Roger Abell [MVP]

Prev by Date: Re: Audit Policy
Next by Date: RE: Audit Policy
Previous by thread: Re: krbtgt Account
Next by thread: Re: krbtgt Account
Index(es):
- Date
- Thread

Relevant Pages

Re: impersonation using kerberos
... and then finding out you can enable kerberos event logging.... ... and for the computer account contains ... This error appears on my SQL box ... KDC cannot accommodate requested option. ...
(microsoft.public.win2000.active_directory)
Re: Seamless/transparent SSO with Apache, Win2003, IE
... Did you have the 'Use DES encryption types for this account' option ticked ... I'm trying to create a seamless sign on to a web site ... using Solaris (Kerberos installed), Apache ... Sequence number: 315 (relative sequence number) ...
(comp.protocols.kerberos)
Re: Howto refresh IIS 6 Application pool identity credential info
... I doubt the cluster environment has problems with kerberos tickets, ... Only account A has access to database DB-A ... Application A and Application B have an application security based on ... The Pool identity is the one accessing the backend resources like ...
(microsoft.public.inetserver.iis.security)
Re: Event ID: 1202
... No mapping between account names and security IDs was ... SeIncreaseBasePriorityPrivilege = Administrators ... "Meinolf Weber" wrote: ... A user account in one or more Group policy objects (GPOs) could not ...
(microsoft.public.win2000.active_directory)
Re: krbtgt Account
... Kerberos Technical Supplement for Windows ... people define GPOs and make their policy adjustments in them rather ... than the default GPOs, then revert the defaults. ... Then, using the report ...
(microsoft.public.win2000.security)