* Secretary's workstation gets owned via zero day.
* Attacker installs keylogger.
* Attacker "breaks" the workstation's join to the domain.
* Domain admin shows up to re-join the workstation to the domain (to "fix it").
Now the attacker has the credentials necessary to manage all of AD and give themselves rights to whatever they want. Also, since AD doesn't use a salt with password hashes the attacker can now trivially obtain the passwords of every employee in the company along with things like service accounts. It's game over at that point--rebuild everything time.