The **DCSync **permission implies having these permissions over the domain itself: DS-Replication-Get-Changes, **Replicating Directory Changes All **and Replicating Directory Changes In Filtered Set.
Important Notes about DCSync:
The **DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information **using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled.
By default only Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups have the required privileges.
If any account passwords are stored with reversible encryption, an option is available in Mimikatz to return the password in clear text
Then, you can** check if the user was correctly assigned** the 3 privileges looking for them in the output of (you should be able to see the names of the privileges inside the "ObjectType" field):