[jabart]

It sounds like this required both local access AND a Active Directory Domain Administrator account (which should have triggered EDR at some point) which is the end game anyway. They just managed to hop out of the AD environment to a non-ad server because of the other password being in this vault. Glad they made it more user interactive to decrypt.

[kadoban]

No, the final one only required local access as the user in question (this is mentioned after the one you're referring to that required AD Domain takeover).

[jabart]

Ah yeah.

1. Off workstation decrypt using the AD DPAPI Backup keys. 2. Local DPAPI List and Dump for the windows hello biometric key