G
Guest
Currently in our domain the krntgt user account is diabled. Should this
account be enabled?
account be enabled?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
R
Roger Abell [MVP]
Leave the account as it is.
This is the credential under which the issuance of initial Kerberos
service tickets happens.
This is the credential under which the issuance of initial Kerberos
service tickets happens.
G
Guest
The previous network admin had disabled it. I was wondering if I should have
it enabled. What does this account do?
it enabled. What does this account do?
R
Roger Abell [MVP]
It is normal to see that account disabled.
As its properties state, it is used for the KDC service, which
is the heart of Kerberos, the default auth technology in AD.
You are posting into the W2k newsgroups, so I assume your DCs are
W2k. If your domain is W2k3 based, then there is utility to reset the
two default GPOs back to their as first set up state
dcgpofix /?
It might be worth considering, if you have just inherited a potentially
mismanaged AD to get to a know state. In general I recommend that
people define GPOs and make their policy adjustments in them rather
than using the two shipped default GPOs.
IIRC there are now KB articles outlining resetting of these for a W2k.
You could first copy the existing to new GPOs (using GPMC on an
XP or W2k3), link these at domain and DC OU with higher priority
than the default GPOs, then revert the defaults. Then, using the report
capability after getting reports for the copied and the reverted you
could do simple text/xml compare to see what they had changed.
etc.
Roger
As its properties state, it is used for the KDC service, which
is the heart of Kerberos, the default auth technology in AD.
You are posting into the W2k newsgroups, so I assume your DCs are
W2k. If your domain is W2k3 based, then there is utility to reset the
two default GPOs back to their as first set up state
dcgpofix /?
It might be worth considering, if you have just inherited a potentially
mismanaged AD to get to a know state. In general I recommend that
people define GPOs and make their policy adjustments in them rather
than using the two shipped default GPOs.
IIRC there are now KB articles outlining resetting of these for a W2k.
You could first copy the existing to new GPOs (using GPMC on an
XP or W2k3), link these at domain and DC OU with higher priority
than the default GPOs, then revert the defaults. Then, using the report
capability after getting reports for the copied and the reverted you
could do simple text/xml compare to see what they had changed.
etc.
Roger
V
Vincent Xu [MSFT]
Hi,
Roger provided greate information. I just want to provide following article
in case it can help also.
Key Distribution Center
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/s
ecurity/key_distribution_center.asp>
Kerberos Technical Supplement for Windows
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/htm
l/wss_ch7_kerbtechsupp.asp>
Have a good day!
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================
--------------------
Roger provided greate information. I just want to provide following article
in case it can help also.
Key Distribution Center
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/s
ecurity/key_distribution_center.asp>
Kerberos Technical Supplement for Windows
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/htm
l/wss_ch7_kerbtechsupp.asp>
Have a good day!
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================
--------------------
J
Joe Richards [MVP]
The account is disabled by default.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm