How does ADAudit Plus encrypt passwords for custom users and domain users?

For domain users, the system uses the default password 'admin' as plaintext and applies bcrypt with a random salt to produce the hash. For custom (non-domain) users, the actual user-provided password is used as plaintext. In both cases, the first 29 bytes of the stored hash contain the salt used for encryption. More details can be found in the ADAudit Plus Exploitation Analysis — Data Encryption Analysis article.