An attacker is capable to create a Ticket Granting Ticket (TGT) by using the krbtgt domain user’s password hash to impersonate ANY domain user including the Domain Administrator(s). This ticket is valid for 10 years and can be renewed for ten more years. This means 20 years of full control over the domain. To do this I will demonstrate the golden ticket capability of the famous Mimikatz app by Benjamin Delpy. The audience can learn about Kerberos infrastructure, tickets and Windows privilege impersonation through this presentation. It includes the solution as well, how to defend our domain against these kind of attacks.