I want to store a private key for an application in such a way that only authorized users can use it. In this scenario, Domain Admins are not authorized for this private key.
I want to setup an account so that the key is stored in the account Certificate Store, and encrypted with DPAPI. From what I read, domain account is out of question - based on https://support.microsoft.com/en-us/help/309408/how-to-troubleshoot-the-data-protection-api-dpapi, Domain Admin can reset the password and the Store gets reencrypted.
But this leaves an option of using local account - is it correct that if local admin resets the password, access to master key is lost?
The master key for DPAPI is encrypted with the user's SID plus a hash of the user's password. More than one password-hash may be used.
If a user changes her/his password by providing the old password and a new one, the DPAPI data can still be accessed, the new password hash is used to entrypt the master key.
But if an administrator resets the password using
net useror other commands and doesn't know the old password all access to the DPAPI data is lost.If the password is changed back to the original one, access to the data should be available again, because the original encryption is still available.
It should be pretty easy for you to test this.