Suppose Alice logs into Windows machine M (which is part of an enterprise network managed through Active Directory). My understanding is that M will contact the domain controller to get Alice’s password hash, store it in the local SAM, and use it to verify Alice’s login.
How long is the password hash retained in the SAM? Once added, does it stay there forever? Or does it get automatically deleted after a certain period; and if so, how long is that period?
(Motivation: I’m trying to understand the security risks of password hashes stored in the SAM.)