Members of the Backup Operators group may create privileged backups of any file on the system, including the HKLM\SAM and HKLM\SECURITY registry hives. These hives contain the NTLM password hashes of all local users on the system, including the local Administrator account.