Nice concise write up, but one slight issue I have is that you changed the group membership and domain permissions for the svc-alfresco account that everyone else is also using. So if anyone else attacks the machine at the same time as you, they get those creds and instantly are a member of groups they shouldn’t be a member of.
I assume the reason the box author allowed svc-alfresco to create new user accounts was for this exact reason. So that we could create a new account and grant permissions to that, so it doesn’t affect the experience of others.
I guess if you’re on VIP and hardly anyone else was attacking that box at the same time, not such a big deal. But on the free servers this would definitely mess with a lot of other people