Active Directory Password Synch Agent--can it determine whether a user is an admin?