How can a domain user read all user hashes by exploiting ACL on ntds.dit?

An attacker can modify the ACL of the `ntds.dit` file (or its share) in a domain controller's SYSVOL to grant read access to a regular domain user. Once the ACL is changed, the user can access and extract all domain password hashes. This domain ACL exploitation technique is explained in the ACL article.