Why is the "Is 'Accounts: Administrator account status' set to 'Disabled'?" check failing in Control Compliance Suite (CCS) when run against domain controllers?