WaterExecution/vulnerable-AD-plus — reverse-engineered prompt

Build me a PowerShell tool that sets up a deliberately vulnerable Active Directory lab on a local domain controller so I can practice common AD attack paths safely. I want it to work after AD is already installed on the DC, and it should be easy to run with something like a single command where I can pass the domain name and a rough user count.

Please include ways to enable and randomize a wide spread of realistic weaknesses, like Kerberoasting, AS REP roasting, weak ACL and ACE setups, DnsAdmins abuse, passwords in user descriptions, password spraying conditions, DCSync, ticket attacks, pass the hash, pass the ticket, disabled SMB signing, weak WinRM permissions, anonymous LDAP queries, and public SMB shares. If something needs a client workstation or depends on Windows version, handle that clearly.

I also want it to be obvious this is for a local lab only, with simple usage examples and basic notes on what gets changed. If you need details, check current AD and PowerShell docs online.