As per the solution of
I would like to request the username map property be set by default on member servers with samba file-sharing role.
It is required to set privileges for domain admins on the member server, and not well documented unless you end up on the samba wiki and spend a good few hours searching and trying stuff that doesn't apply.
It would be great if the username map can be configured. It requires a file and a configuration line in smb.conf
I am unable to judge how this impacts other configuration, but it seems to work like I want, without averse effects.