@NataliaAntonova Actually, that'd be one hell of a pen-test report... I in-person-catfished your sysadmin and gave him/her a QR to scan, they logged in with their Domain Admin creds.
I mean, if you're going to drop USB sticks in the employee car-park, why not try get a date/meal too 😀