February 2014

Obtaining NTDS.dit Using In-Built Windows Commands

Further to our article on Password Audit of a Domain Controller, we've discovered a couple of short-cuts that greatly simplify the process.

Using the same underlying technique (Volume Shadow Service), there is an in-built command (Windows 2008 and later) that does a backup of the crucial NTDS.dit file, and the SYSTEM file (containing the key required to extract the password hashes), without the need to use VB Script, third-party tools or injecting into running processes.