diff --git a/acl-updater/plugin/plugin.cpp b/acl-updater/plugin/plugin.cpp
index a2ac3b2..f67fe0b 100644
--- a/acl-updater/plugin/plugin.cpp
+++ b/acl-updater/plugin/plugin.cpp
@@ -87,7 +87,7 @@ post_modify (Slapi_PBlock *pb)
 				stream << "\n\n";
 	
 				stream << "# Internal Kerberos administration account\n";
-				stream << TQString("kadmin/%1@%2\tall").arg(rootaccountname).arg(realmname);
+				stream << TQString("kadmin/%1@%2\tall,get-keys").arg(rootaccountname).arg(realmname);
 				stream << "\n\n";
 	
 				stream << "# Configured realm administrators\n";
@@ -98,7 +98,7 @@ post_modify (Slapi_PBlock *pb)
 					krbConvertedUser.truncate(cmpos);
 					krbConvertedUser.remove(0, eqpos);
 					krbConvertedUser.append("@"+realmname);
-					stream << krbConvertedUser << "\tall\n";
+					stream << krbConvertedUser << "\tall,get-keys\n";
 				}
 				file.close();
 			}
diff --git a/confskel/heimdal/kadmind.acl b/confskel/heimdal/kadmind.acl
index b534354..29c2cd2 100644
--- a/confskel/heimdal/kadmind.acl
+++ b/confskel/heimdal/kadmind.acl
@@ -2,7 +2,7 @@
 # All changes will be lost!
 
 # Internal Kerberos administration account
-kadmin/@@@ROOTUSER@@@@@@@REALM_UCNAME@@@	all
+kadmin/@@@ROOTUSER@@@@@@@REALM_UCNAME@@@	all,get-keys
 
 # Configured realm administrators
-@@@ADMINUSER@@@@@@@REALM_UCNAME@@@	all
\ No newline at end of file
+@@@ADMINUSER@@@@@@@REALM_UCNAME@@@	all,get-keys