Domain password hashes in SAM

Posted on 2012-09-04
Last Modified: 2012-09-04
How can/why do domain hashes end up in the SAM file on 2-3 server domain controllers? I thought they were supposed to only be in  NTDS.DIT database? Our security admins have a responsibility to audit power user (domain admins/enterprise admins) password strength once per every 6 months, and afaik they use a password hash dump utility on the SAM file, but how do you know how up to date the SAM file is? I.e. could they be auditing passwords that are 2 years old - I suppose understanding the reason why the domain hashes end up in the SAM file would be a good start.
Question by:pma111
    LVL 39

    Accepted Solution

    This is by default enabled (cache user profile). When users logs on its profile is cached. When no network connection is available, user is able to logon in offline mode with cached profile.

    If you wish, you may change that in group policy to disallow caching profiles

    LVL 3

    Author Comment

    So all in all the hashes they use in SAM will be the most recent?
    LVL 39

    Expert Comment

    by:Krzysztof Pytko
    Yes, that's mostly available the latest user password which was used during logon


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now