Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Domain password hashes in SAM

Posted on 2012-09-04
Medium Priority
Last Modified: 2012-09-04
How can/why do domain hashes end up in the SAM file on 2-3 server domain controllers? I thought they were supposed to only be in  NTDS.DIT database? Our security admins have a responsibility to audit power user (domain admins/enterprise admins) password strength once per every 6 months, and afaik they use a password hash dump utility on the SAM file, but how do you know how up to date the SAM file is? I.e. could they be auditing passwords that are 2 years old - I suppose understanding the reason why the domain hashes end up in the SAM file would be a good start.
Question by:pma111
  • 2
LVL 39

Accepted Solution

Krzysztof Pytko earned 2000 total points
ID: 38362963
This is by default enabled (cache user profile). When users logs on its profile is cached. When no network connection is available, user is able to logon in offline mode with cached profile.

If you wish, you may change that in group policy to disallow caching profiles


Author Comment

ID: 38362971
So all in all the hashes they use in SAM will be the most recent?
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 38362982
Yes, that's mostly available the latest user password which was used during logon


Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question