[youdontknowtho]

That's why MS recommends that you use a separate forest for admins only these days. You only administer things with remote tools via a trust, you only enable admin perms as long as you absolutely need them, and you put admins in the protected users group so that they can only do Kerberos. It won't stop other peoples credos from getting stolen, but it makes complete ownership of the domain less likely. That being said if you have service accounts running as domain admin, or you have service accounts with "delegate to any service" perms...all bets are off.

Its so hard to get this right these days. I'm just recommending that people move all their clients to Azure AD join and put servers in resource forests.

NTLM has got to go and hardware/virtualization based security like device guard has to become the norm.