See perhaps recent story "Kerberoasting" about extracting encrypted service account credentials from Active Directory:

* https://news.ycombinator.com/item?id=45196437