Some ideas around this I haven't personally tested these but do know that this method is used by some organizations:

Since the DST relies on querying AD for accounts it relies on permissions/ACL's on objects to read those accounts and their attributes.