Read my Writeup to Support machine on:
TL;DR
User: By enumerating the SMB shares we found the file UserInfo.exe.zip on support-tools share, By decompiling the file using dnSpy we found the password of ldap user, Enumerating the domain users using ldapsearch using ldap credentials and we found the password of support user on info field.
Root: By running BloodHound we can see that support user has AddAllowedToAct permission, Using that we create a new machine account and impersonate to Administrator user.