Domain Admin is one of the highest privilege levels you can have on a Windows Network. Its has all of the access of local admin. Out of the box the Domain Admin will never get the “Access Denied (5)” message. If it does it can correct the problem by granting itself access. Domain Admin grants all sorts of outrageous permissions and should be highly reserved. Remotely manage the firewall service on a computer and allow remote control. Shutdown -m \computername /f /r /t 000 to reboot a computer on your domain remotely. Remotely terminate or initialize any process of your liking. Full access to all filesystems….
In a penetration test, compromising a domain admin account is on of the last checkpoints. The ability to log in as one of these accounts means all doors are open you just need to walk through them to retrieve anything of your desiring.
Ideally you don’t want to log onto workstations with a domain admin account. If your network has password caching turned on you can run a program called cachedump and get the hash of any account that has logged on locally.
After you have the hash, using a program with the proper set of rainbow tables can crack weak passwords in seconds and strong passwords in minutes.
Also, dumping LSA secrets on a SQL server can generally give you domain admin access. If not domain admin access, the SQL service account generally has a handful of privileges you wouldn’t want anyone on your network to have.