Fix KB article image paths and cross-references after folder reorganization revert

After reverting the KB folder reorganization (PR #336), 169 KB articles had broken references:
- Image paths using incorrect relative depth (../../images/, ../../../images/)
- Cross-references pointing to non-existent subdirectory paths
- Missing ./ prefix on image paths

Fixed all three patterns:
1. Normalized all image paths to ./images/ format (relative to article location)
2. Removed subdirectories from KB cross-references (/docs/kb/product/file format)
3. Added ./ prefix to bare images/ references

Affected files by product:
- auditor: 51 files
- privilegesecure: 36 files
- accessanalyzer: 30 files
- directorymanager: 14 files
- endpointprotector: 14 files
- dataclassification: 12 files
- threatmanager: 7 files
- threatprevention: 4 files
- 1secure: 2 files
- general: 1 file

All KB articles now use consistent, working reference formats compatible with
the root-level folder structure.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: jake-mahon-netwrix

docs/kb/1secure/configure_proxy_for_rdp_connections_(installupdate_certificate_to_prevent_rdp_certificate_warnings).md

@@ -25,7 +25,7 @@ This article outlines the process for installing or updating a certificate to pr
 
   > **IMPORTANT:** The Certification Authority's post-deployment configuration must be completed after installing both prerequisite roles.
 
-  ![Certification Authority post-deployment configuration dialog with required options visible](../../images/servlet_image_22726c8e5cb9.png)
+  ![Certification Authority post-deployment configuration dialog with required options visible](./images/servlet_image_22726c8e5cb9.png)
 
 - The domain must have the **Enrollment Policy** set to enable automatic enrollment and renewal. The **Certificate Enrollment Policy** for user and computer certificates is configured in the **Group Policy** snap-in under **Default Domain Policy** (or another group policy applied to all systems that will access an NPS server on a group-by-group basis). To configure this:
 
@@ -39,28 +39,28 @@ This article outlines the process for installing or updating a certificate to pr
 > **NOTE:** If you already have a certificate to install, you can skip to the **Adding the Certificate to Each SbPAM Proxy Server** section below.
 
 1. Open **Certification Authority**, open your CA, right-click **Certificate Templates**, and click **Manage**.  
-   ![Certification Authority console with Certificate Templates context menu open](../../images/servlet_image_ebb3b2e4c66a.png)
+   ![Certification Authority console with Certificate Templates context menu open](./images/servlet_image_ebb3b2e4c66a.png)
 
 2. In the **Certificate Templates Console**, right-click **Workstation Authentication**, and click **Duplicate Template**.  
-   ![Certificate Templates Console with Duplicate Template option highlighted](../../images/servlet_image_e3eecaa55357.png)
+   ![Certificate Templates Console with Duplicate Template option highlighted](./images/servlet_image_e3eecaa55357.png)
 
 3. On the **General** tab, change the name to **Client-Server Authentication** and enable the **Publish certificate in Active Directory** checkbox.  
-   ![General tab of template properties with name and publish option highlighted](../../images/servlet_image_35245db9daa9.png)
+   ![General tab of template properties with name and publish option highlighted](./images/servlet_image_35245db9daa9.png)
 
 4. On the **Subject Name** tab, enable the **Supply in the request** radio button.  
-   ![Subject Name tab with Supply in the request option selected](../../images/servlet_image_2b1a501d40fd.png)
+   ![Subject Name tab with Supply in the request option selected](./images/servlet_image_2b1a501d40fd.png)
 
 5. On the **Extensions** tab, select **Application Policies** and click **Edit**. Click **Add**, then select **Server Authentication**. Click **OK** until you return to the **Properties of New Template** dialog.  
-   ![Extensions tab with Application Policies and Server Authentication highlighted](../../images/servlet_image_9ccee298858e.png)
+   ![Extensions tab with Application Policies and Server Authentication highlighted](./images/servlet_image_9ccee298858e.png)
 
 6. On the **Security** tab, select **Domain Computers** and enable the checkbox to allow **Autoenroll**. Click **OK** and then close the Certificate Templates Console.  
-   ![Security tab with Domain Computers and Autoenroll option checked](../../images/servlet_image_d2bd2889a956.png)
+   ![Security tab with Domain Computers and Autoenroll option checked](./images/servlet_image_d2bd2889a956.png)
 
 7. Back in **Certification Authority**, right-click **Certificate Templates**, hover over **New**, and click **Certificate Template to Issue**.  
-   ![Certification Authority with Certificate Template to Issue option highlighted](../../images/servlet_image_4e7a38bb30d6.png)
+   ![Certification Authority with Certificate Template to Issue option highlighted](./images/servlet_image_4e7a38bb30d6.png)
 
 8. Select **Client-Server Authentication** and click **OK**.  
-   ![Certificate Template selection dialog with Client-Server Authentication selected](../../images/servlet_image_d8afec47d2b9.png)
+   ![Certificate Template selection dialog with Client-Server Authentication selected](./images/servlet_image_d8afec47d2b9.png)
 
 9. On the desktop, create a text file named **request.inf** with the following content (replace the **red** text with your server certificate name):
 
@@ -95,44 +95,44 @@ This article outlines the process for installing or updating a certificate to pr
     certreq -new request.inf rdp.csr
     ```
 
-    ![Command Prompt showing certreq command execution](../../images/servlet_image_117381e3f99f.png)
+    ![Command Prompt showing certreq command execution](./images/servlet_image_117381e3f99f.png)
 
 11. To sign the certificate request, use your preferred signing mechanism. The following example uses Active Directory Certificate Services (`https://<servername>/certsrv`).  
-    ![Certificate Services web enrollment home page](../../images/servlet_image_c706e5610294.png) ![Certificate Services advanced certificate request page](../../images/servlet_image_0f3e849ec385.png)
+    ![Certificate Services web enrollment home page](./images/servlet_image_c706e5610294.png) ![Certificate Services advanced certificate request page](./images/servlet_image_0f3e849ec385.png)
 
     Click **Request a certificate**, then click **advanced certificate request**.
 
 12. Open the saved certificate signing request (**rdp.csr**) from the previous step in Notepad. Copy the certificate request into the **Saved Request** field. Select **Client-Server Authentication** from the **Certificate Template** dropdown. Click **Submit**.  
-    ![Certificate request submission form with fields filled](../../images/servlet_image_21d63c042bef.png)
+    ![Certificate request submission form with fields filled](./images/servlet_image_21d63c042bef.png)
 
     Leave other settings at default values, and click **Submit**.
 
 13. Select **DER encoded** and click **Download certificate**.  
-    ![Certificate download page with DER encoded option selected](../../images/servlet_image_ff7ee6960cb2.png)
+    ![Certificate download page with DER encoded option selected](./images/servlet_image_ff7ee6960cb2.png)
 
 14. Open the downloaded certificate and select **Install Certificate**. Proceed with all default values and complete the wizard.  
-    ![Certificate installation wizard with default options](../../images/servlet_image_9751657fe7cd.png)
+    ![Certificate installation wizard with default options](./images/servlet_image_9751657fe7cd.png)
 
 15. To export the certificate, view certificates for the current user by launching **certmgr.msc** using the Windows **Run** menu.  
-    ![Windows Run dialog with certmgr.msc entered](../../images/servlet_image_f5c0eb62aa44.png)
+    ![Windows Run dialog with certmgr.msc entered](./images/servlet_image_f5c0eb62aa44.png)
 
     Right-click the installed certificate (the certificate using the **Client-Server Authentication** template) and click **Export...**.  
-    ![Certificate export context menu](../../images/servlet_image_4f237c8e6acb.png)
+    ![Certificate export context menu](./images/servlet_image_4f237c8e6acb.png)
 
 16. In the **Certificate Export Wizard**, change the **Export Private Key** option to **Yes, export the private key**.  
-    ![Certificate Export Wizard with Export Private Key option selected](../../images/servlet_image_9a7649f21943.png)
+    ![Certificate Export Wizard with Export Private Key option selected](./images/servlet_image_9a7649f21943.png)
 
 17. For **Export File Format**, select **Personal Information Exchange - PKCS #12 (.PFX)**. Select the following checkboxes:
 
     - Include all certificates in the certification path if possible
     - Enable certificate privacy
 
-    ![Export File Format options with PKCS #12 and checkboxes selected](../../images/servlet_image_491abdc2366b.png)
+    ![Export File Format options with PKCS #12 and checkboxes selected](./images/servlet_image_491abdc2366b.png)
 
 18. For **Security**, enter a password of your choosing and select the AES256-SHA256 encryption option (3DES is no longer recommended by NIST).
 
     > **IMPORTANT:** For **File to Export**, the file name **must** be **rdp.pfx**. If it is named anything else, importing the .pfx file on each proxy server will not work.  
-    ![Export dialog with rdp.pfx file name entered](../../images/servlet_image_808a1a23eec9.png)
+    ![Export dialog with rdp.pfx file name entered](./images/servlet_image_808a1a23eec9.png)
 
 19. This certificate can now be imported to each SbPAM Proxy Server.
 
@@ -148,7 +148,7 @@ This article outlines the process for installing or updating a certificate to pr
    "C:\Program Files\Stealthbits\PAM\ProxyService\sbpam-proxy.exe" ca import -p [PATH]\rdp.pfx
    ```
 
-   ![Command Prompt showing sbpam-proxy.exe ca import command](../../images/servlet_image_07c7409683d2.png)
+   ![Command Prompt showing sbpam-proxy.exe ca import command](./images/servlet_image_07c7409683d2.png)
 
 3. The new certificate has now been imported to an SbPAM Proxy Server. Repeat this process for all SbPAM Proxy Servers if using more than one. (The default installation of SbPAM uses one proxy service on the SbPAM server itself; however, additional proxy services can be distributed.)
 

docs/kb/1secure/troubleshoot_failed_action_service_connections_to_windows_resources_(psremotingwinrm).md

@@ -86,7 +86,7 @@ There are Group Policy settings used to filter the origin of WinRM requests via
 
 Learn more about the **Allow remote server management through WinRM** Group Policy setting in [Configure Remote Management in Server Manager − Enabling or Disabling Remote Management ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/windows-server/administration/server-manager/configure-remote-management-in-server-manager#enabling-or-disabling-remote-management).
 
-![Windows Group Policy: Allow remote server management through WinRM](../../images/servlet_image_16fc9e2e2432.png)
+![Windows Group Policy: Allow remote server management through WinRM](./images/servlet_image_16fc9e2e2432.png)
 
 ### Allow full control to Remote Management Users
 

docs/kb/accessanalyzer/access-information-center-not-reporting-attribute-changes.md

@@ -37,7 +37,7 @@ Ensure that differential scans for AD Inventory are enabled and running. This wi
 
 - To enable differential scanning of AD Inventory, enable the **Collect only updates since the last scan** option in the query configuration as shown below:
 
-  ![Collect only updates since the last scan](images/servlet_image_bd5be116677a.png)
+  ![Collect only updates since the last scan](./images/servlet_image_bd5be116677a.png)
 
 - For further information on customizing the `AD > 1-AD_Scan` job, please visit: https://docs.netwrix.com/docs/auditor/10_8
 

docs/kb/accessanalyzer/access-information-center-requiring-domain-prefix-to-log-in-to-web-page.md

@@ -26,12 +26,12 @@ knowledge_article_id: kA0Qk0000001jO5KAI
 ## Symptom
 You receive the following error when Domain Prefix is required for log-in:
 
-![image (14).png](images/ka0Qk000000DXNx_00N0g000004CA0p_0EMQk00000AGwf1.png)
+![image (14).png](./images/ka0Qk000000DXNx_00N0g000004CA0p_0EMQk00000AGwf1.png)
 
 ## Cause
 Due to the change from IIS to a new web server, subdomain users will now need to include their domain prefix before their username when logging in.
 
-![Login prompt showing username field with domain prefix required.](images/ka0Qk000000DXNx_00N0g000004CA0p_0EMQk000009d2RO.png)
+![Login prompt showing username field with domain prefix required.](./images/ka0Qk000000DXNx_00N0g000004CA0p_0EMQk000009d2RO.png)
 
 > **NOTE:** You can create a more uniform and consistent log-in experience across all domains connected to the AIC by leaving it as is and requiring the domain prefix.
 

docs/kb/accessanalyzer/active-directory-permissions-analyzer-reports-are-outdated.md

@@ -27,7 +27,7 @@ knowledge_article_id: kA04u000000HDhRCAW
 
 Old data in the Active Directory Permissions Analyzer **(ADPA)** reports from deprecated Domains.  
 Example of the incorrect data:  
-![Chart  Description automatically generated](images/ka04u000000HdDV_0EM4u0000084aiy.png)
+![Chart  Description automatically generated](./images/ka04u000000HdDV_0EM4u0000084aiy.png)
 
 ## Cause
 
@@ -41,28 +41,28 @@ To do so you can follow the steps below.
 
 1. Create a new Job in the Netwrix Auditor console: right click the **Jobs Node** in the left-hand window and select **Create Job**:
 
-   ![Graphical user interface, application  Description automatically generated](images/ka04u000000HdDV_0EM4u0000084aiz.png)
+   ![Graphical user interface, application  Description automatically generated](./images/ka04u000000HdDV_0EM4u0000084aiz.png)
 
    Select the **Local host** in the jobs host list:
 
-   ![Graphical user interface, application  Description automatically generated](images/ka04u000000HdDV_0EM4u0000084aj0.png)
+   ![Graphical user interface, application  Description automatically generated](./images/ka04u000000HdDV_0EM4u0000084aj0.png)
 
 2. Click on the **Create Query**:
 
-   ![Graphical user interface, application, Word  Description automatically generated](images/ka04u000000HdDV_0EM4u0000084aj1.png)
+   ![Graphical user interface, application, Word  Description automatically generated](./images/ka04u000000HdDV_0EM4u0000084aj1.png)
 
 3. Configure the jobs query Properties.  
    Under the **Data Sources** tab, select the **ADPERMISSIONS** option from the dropdown menu then click on **Configure**.
 
-   ![Graphical user interface, application, Word  Description automatically generated](images/ka04u000000HdDV_0EM4u0000084aj2.png)
+   ![Graphical user interface, application, Word  Description automatically generated](./images/ka04u000000HdDV_0EM4u0000084aj2.png)
 
    Select **Remove Tables** and click **Next**:
 
-   ![Graphical user interface, text, application, email  Description automatically generated](images/ka04u000000HdDV_0EM4u0000084aj3.png)
+   ![Graphical user interface, text, application, email  Description automatically generated](./images/ka04u000000HdDV_0EM4u0000084aj3.png)
 
    Check the Results option: Click **Next** → **Finish** → **Ok**.
 
-   ![Graphical user interface, text, application  Description automatically generated](images/ka04u000000HdDV_0EM4u0000084aj4.png)
+   ![Graphical user interface, text, application  Description automatically generated](./images/ka04u000000HdDV_0EM4u0000084aj4.png)
 
 4. Now run the new Job.
 

docs/kb/accessanalyzer/collecting-ad-summary.md

@@ -31,9 +31,9 @@ Licensing of Netwrix Access Analyzer is based on the quantity of enabled AD user
 To find this data:
 
 1. Ensure **.Active Directory Inventory** has recently run or run now. Navigate to **Jobs** > **.Active Directory Inventory** > **1-AD_Scan** and click **Run Now**  
-   ![Group_001.png](images/ka0Qk000000Dl4L_0EM4u000008M8wx.png)
+   ![Group_001.png](./images/ka0Qk000000Dl4L_0EM4u000008M8wx.png)
 
 2. Navigate to **Jobs** > **.Active Directory Inventory** > **1-AD_Scan** > **Results** > **Active Directory Summary**
 
 3. Take a screenshot or otherwise capture the values displayed in **Total Users** and **Disabled Users**  
-   ![Group_002.png](images/ka0Qk000000Dl4L_0EM4u000008M8x2.png)
+   ![Group_002.png](./images/ka0Qk000000Dl4L_0EM4u000008M8x2.png)

docs/kb/accessanalyzer/console-migration-workflow-step-3-rebuild-the-console.md

@@ -97,7 +97,7 @@ Register-ScheduledTask -Xml (get-content $_.FullName | out-string) -TaskName $ta
 
 4. Open `\NAA_Migration\NAA\Web\webserver.exe.config` and copy the content between `<appSettings></appSettings>` and paste it in place of the `<appSettings></appSettings>` block in `%SAInstallDir%Web\webserver.exe.config`.
 
-   ![webserver config image](images/ka0Qk000000FDY1_0EMQk00000CFkgO.png)
+   ![webserver config image](./images/ka0Qk000000FDY1_0EMQk00000CFkgO.png)
 
    NOTE: Open the destination `webserver.exe.config` as an administrator by following these steps:
 
@@ -115,15 +115,15 @@ Register-ScheduledTask -Xml (get-content $_.FullName | out-string) -TaskName $ta
 
 6. Open the Netwrix Access Analyzer application and follow through the Access Analyzer Configuration Wizard, selecting **Choose a StealthAUDIT root folder path to copy from** if prompted.
 
-   ![Configuration Wizard image](images/ka0Qk000000FDY1_0EMQk00000CFxaL.png)
+   ![Configuration Wizard image](./images/ka0Qk000000FDY1_0EMQk00000CFxaL.png)
 
    1. See the following for more information on the Netwrix Access Analyzer Configuration Wizard: [Access Analyzer Initial Configuration](https://docs.netwrix.com/docs/accessanalyzer/12_0)
 
 7. After completing the Configuration Wizard, the Access Analyzer Application should open automatically.
 
 8. In the Access Analyzer Console, navigate to **Settings** > **Reporting**, and set the **Website URL** to contain the new console server's name.
 
-   ![Reporting settings image](images/ka0Qk000000FDY1_0EMQk00000CFqfK.png)
+   ![Reporting settings image](./images/ka0Qk000000FDY1_0EMQk00000CFqfK.png)
 
 9. If using Windows Authentication to connect Access Analyzer to its database (click **Settings** > **Storage**), open `services.msc` and set the **Netwrix Access Analyzer Web Server** service to log on as a **Windows** service account with appropriate permissions on the Access Analyzer database.
 

docs/kb/accessanalyzer/deleted-ad-user-s-still-show-in-netwrix-access-analyzer-reports.md

@@ -35,9 +35,9 @@ A failure on the ADI scan that could be caused by a myriad of reasons.
 Run a full **AD Inventory Scan** by disabling differential scanning for the **1-AD_Scan** job using the steps below:
 
 1. Navigate to **Access Analyzer > Jobs > .Active Directory Inventory > 1-AD_Scan > Configure > Queries > Query Properties > Configure > Options**.  
-   ![Image_2024-11-19_15-36-30.png](images/ka0Qk000000DYa9_0EMQk00000AdoIX.png)
+   ![Image_2024-11-19_15-36-30.png](./images/ka0Qk000000DYa9_0EMQk00000AdoIX.png)
 2. Uncheck the box for **Collect only updates since the last scan**.  
-   ![Image_2024-11-19_15-37-33.png](images/ka0Qk000000DYa9_0EMQk00000AdoSD.png)
+   ![Image_2024-11-19_15-37-33.png](./images/ka0Qk000000DYa9_0EMQk00000AdoSD.png)
 3. Click **Next** through the end of the Active Directory Inventory DC Wizard.
 4. Re-run the **1-AD_Scan** job.
 5. Select the previously-unchecked box for **Collect only updates since the last scan**.

docs/kb/accessanalyzer/disabling-the-server-header.md

@@ -30,7 +30,7 @@ This article explains how to disable the server header in Netwrix Access Analyze
 > **NOTE:** Banner grabbing is the process of capturing banner information, such as application type and version, that is transmitted by a remote port when a connection is initiated. For more information, see Banner Grabbing ⸱ NIST 🔗  
 > https://csrc.nist.gov/glossary/term/banner_grabbing
 >
-> ![Screenshot showing server information revealed through banner grabbing](images/ka0Qk000000E74r_0EMQk00000Brg4P.png)
+> ![Screenshot showing server information revealed through banner grabbing](./images/ka0Qk000000E74r_0EMQk00000Brg4P.png)
 
 ## Instructions
 
@@ -42,11 +42,11 @@ Follow these steps to disable the server header in Netwrix Access Analyzer:
 3. Set the value to:
    `DWORD: 000002`
 
-   ![Registry editor showing disabled server header](images/ka0Qk000000E74r_0EMQk00000CHuq5.png)
+   ![Registry editor showing disabled server header](./images/ka0Qk000000E74r_0EMQk00000CHuq5.png)
 4. Reboot the server to apply the changes.
 5. After the reboot, the result should resemble the Edge example below, in which the Server node is no longer listed.
 
-![Screenshot showing browser developer tools with no server header information displayed](images/ka0Qk000000E74r_0EMQk00000BrSj0.png)
+![Screenshot showing browser developer tools with no server header information displayed](./images/ka0Qk000000E74r_0EMQk00000BrSj0.png)
 
 > **IMPORTANT:** Modifications to this registry setting may occur due to the following reasons:
 > - Netwrix Access Analyzer and Netwrix Access Information Center do not modify this setting during patching.

docs/kb/accessanalyzer/display-new-names-of-renamed-files-in-access-information-center.md

@@ -31,4 +31,4 @@ How to establish the new name a file was renamed to in Netwrix Access Analyzer?
 2. Right-click the header bar and select **Target Path**.
 3. The **Target Path** will show the new name of the renamed file.
 
-![Activity Details showing Target Path](images/ka04u000000wwHf_0EM4u000008pesA.png)
+![Activity Details showing Target Path](./images/ka04u000000wwHf_0EM4u000008pesA.png)