// Step 1: Check for at least one DC running Windows Server 2025
MATCH (dc:Computer)-[:MemberOf]->(:Group {objectid: ENDSWITH('-516')})
WHERE dc.operatingsystem CONTAINS '2025'
WITH count(dc) AS win2025DCCount
WHERE win2025DCCount > 0

// Step 2: Collect excluded privileged SIDs
WITH true AS has2025DC
MATCH (p)
WHERE p.objectid ENDS WITH '-512' OR    // Domain Admins
      p.objectid = 'S-1-5-32-544' OR    // Builtin Administrators
      p.objectid = 'S-1-5-18' OR        // SYSTEM
      p.objectid ENDS WITH '-519'       // Enterprise Admins
WITH collect(p.objectid) AS excludedSIDs, has2025DC

// Step 3: Find principals with relevant rights on OUs
MATCH (principal)-[r]->(ou:OU)
WHERE type(r) IN ['GenericAll', 'GenericWrite', 'WriteDacl', 'WriteOwner', 'Owns']
  AND NOT principal.objectid IN excludedSIDs
RETURN principal.name AS Identity, collect(DISTINCT ou.name) AS OUs