Great point. I agree completely. However, a large network is much harder to secure than a small one. Even after group policies have been applied there is still a pretty good change that at least one machine exists with a missing patch that will lead to a SYSTEM level exploit or there will be an admin account with a blank password. One domain machine could lead to a complete domain compromise using this technique.