Machines Can Be Admins Too

An interesting thing about Windows account management and Active Directory is that machine accounts can do everything a user account can, like be a member of a group. That membership then applies to that computer's SYSTEM account's actions on the network. If a machine account is added to the Domain Admins group, processes running as SYSTEM on that machine will have complete access to the domain. However, that access only comes into play at the next boot; existing processes use a token that does not include newly added group memberships.