A key characteristic of sophisticated, targeted attacks against computer networks is lateralization. This includes how to start from an initial point of infection with limited privileges, and pivot within the network to obtain control of an account with Administrative privileges for the entire Domain. These techniques are used by nation states and penetration testers alike, and more recently have become associated with targeted ransomware campaigns. Microsofts hardening guides advise that Domain Admin accounts are only needed in build and disaster recovery scenarios, and there should be no day-to-day user accounts in the Domain Admin group.”]