Got a POC working and can start navigating around the system. With that was able to do research and found a way to circumvent functionality that is disabled. Found a user that shouldn’t have a certain setting enabled but he does. Pulled on that thread but it seems that the directoryy I want to write to and the directory that comes back as part of a query with privs are two different ones. Don’t know if I can pivot any further or if someone dorked the box on purpose. Any guidance?