!!! Overview [1]
[{$pagename}] ([KRBTGT]) in [Microsoft Windows] is the [Service Account] and a [Privileged Identity] for the [Key Distribution Center] ([KDC]) service that is used to apply [Digital Signatures] and [Encryption] every [authentication] [Ticket Granting Ticket] ([TGT]).

[{$pagename}] ([KRBTGT]) is effectively the [Trust Anchor] used for the [AD DOMAIN] and implies the [Ticket Granting Ticket] ([TGT]) can be used throughout the [AD DOMAIN] and presented to any [Domain Controller] in the [AD DOMAIN]. Losing control of the [{$pagename}] ([KRBTGT]) [password-hash] equates to losing control of the [AD DOMAIN].

[{$pagename}] account cannot be deleted, and the account name cannot be changed. 

[{$pagename}] account cannot be enabled in [Microsoft Active Directory].

[{$pagename}] is also the security principal name used by the [KDC] for a [Windows Server] domain, as specified by [RFC 4120]. 

[{$pagename}] account is the [entity] for the [Kerberos Authentication Service] and it is created automatically when a new [AD DOMAIN] is created.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Active Directory Accounts|Wikipedia:https://technet.microsoft.com/en-us/library/dn745899(v=ws.11).aspx#Sec_KRBTGT|target='_blank'] - based on information obtained 2017-05-25-