In my previous blog posts, I gave two examples of a privileged user could easily hose your Active Directory: by changing deny logon rights and by erasing the DNS entries on a domain controller.
You might be thinking those are just hypothetical scenarios…