The problem with the Windows' security model is that the only way to configure it with built-in tools is to either give administrative access to a single computer or a single user. As users need to have enough access to perform their jobs without problems, this needs to be changed to work in a way where you can give administrative access to a single process in an operating system, for example for changing a static IP address or running a business-critical application.
Although the Windows operating system offers API’s to do this there is no way to do it without 3rd party tools like Defendpoint from Avecto. Common problems that arise from users being given administrative access are:
- Ability to block company policies from applying to a user or computer
- Administrators can't be controlled by access control lists because in Windows administrators get superpowers called Privileges that can bypass all ACL-check.
- Ability to turn off protections like encryption, network authentication, firewalls or software whitelist
- Local administrative users can decide what is run on the computer when any logs on. This leads to a problem where the helpdesk personnel can be easily lured to run commands with even more powerful user accounts like Domain Admins.
An extra measure you also need make sure is in order is the policy that forces your Domain Admins to have at least three user accounts:
- A user account for daily use like reading email and surfing the web
- A user account that has administrative access to workstations and possibly member servers
- A user account belonging to the Domain Admins group for administering the Active Directory environment