Bad news for the Windows server admins, it would appear that at zero day exploit has surfaced that is extraordinary bad if you have Domain Controllers with the print-spooler service running (eg. printer role). The exploit allow an attacker to execute code as system via a normal domain user account. As of this post there is no patch available.

Potential Mitigation

Stop and disable the “Printer Spooler” service on servers where it is not required (especially DC’s).

Read more here:

and here: