Any honeytoken program thoughts to share?

You should create as many honeytoken users and devices to make them spread around interesting OUs in AD. I suggest that you give honeytoken users the same permissions and group memberships as other users in the specific OU have but be sure to be able to respond to honeytoken alerts quickly in that case.

When testing honeytoken users and devices I ran into an issue. The alert was triggered only when the honeytoken user or the device made an action and not when I did reconnaissance on the device or user. For example when I tried to authenticate using honeytoken user and wrong password the alert was not triggered.
This got me thinking about how an adversary would even get an access to a honeytoken user/device. If a honeytoken user is not logged on any computer it is possible to get its password hash only from DC from ntds.dit file for which to access you need domain admin privileges. From this conclusion honeytokens are not very useful...

Did you have other experience when testing honeytokens or do you have other opinion or ideas for their usage?