Yeah, my company has AD providing authn/authz for our vCenter VMware, and we have an "ESX Admins" AD group.
And a couple years ago we learned the hard way what happens if your AD Domain Controllers are all VMs and things go down hard. We eventually beat the lockouts and got in but it was brutal and scary. We resolved to have at least one hardware DC thereafter.
I think the reason I'm not all hair-on-fire about this CVE is that, as I understand it, the Bad Actor has to already be in your system and have sufficient creds in AD to create or add to an AD Group. If that's the case your goods are already in deep trouble, and while this adds more, it's not the root cause of the intrusion.