Domain password hashes in SAM
Posted on 2012-09-04
How can/why do domain hashes end up in the SAM file on 2-3 server domain controllers? I thought they were supposed to only be in NTDS.DIT database? Our security admins have a responsibility to audit power user (domain admins/enterprise admins) password strength once per every 6 months, and afaik they use a password hash dump utility on the SAM file, but how do you know how up to date the SAM file is? I.e. could they be auditing passwords that are 2 years old - I suppose understanding the reason why the domain hashes end up in the SAM file would be a good start.