I am considering moving a machine on which DPAPI encryption is used from one domain to another. Will doing this break or otherwise adversely affect the DPAPI configuration - and already encrypted data?
Asked
Active
Viewed 321 times
1 Answers
1
DPAPI keys are stored in the machine's profile and the user's profile. Changing the domain membership won't harm the encrypted data, but if you change the membership such that a user's account is no longer able to logon (you add the machine to DOMAINB, removing it from DOMAINA and DOMAINB has no trust relationship with DOMAINA such that DOMAINA users cannot logon) the user won't be able to access their keys.
Background: Windows Data Protection
Evan Anderson
- 141,881
- 20
- 196
- 331