A colleague put the question to me today - how frequently (if ever) ought we to change the passwords for the kerberos TGT (ticket-granting ticket) account? We have a fair-sized AD domain so it's not a trivial matter. Microsoft provides PowerShell scripts to minimise the risk of it breaking anything and the account password is never divulged to any human but that security measure does mean that if the process doesn't go to plan and authentication breaks, we're toast. Some advice is to change it from time to time, other is to leave well alone.
Any comments/experiences/wisdom anyone would care to share? Thanks.