Thanks for sharing, ajdsi. I think your method would be much better for someone working in an ITIL environment who needs to replicate the failure to propagate security policy on a test environment before being allowed to make production changes.
As people usually have more than one DC, I suppose another method could be to isolate a DC and test that.