it’s like to let them run with the scissors all the time… is it worthy or simply asking for trouble? Nothing new if you’re familiar with the least privilege access, if is something you’ve never think about it… Well, I can use a simple effective analogy for allowing user with local admin rights on their workstation. It doesn’t matter if most of the today’s threats can deal with the regular user context. Using separate users: a standard one and an admin member of the local administrators group is at least a good way to mitigate the risk of potential/malicious/accidental damage to the system.
Domain Users) should not be a member of the local administrators group for a security point of view. Indeed, Windows OS doesn’t have a simple and neat management like a SUDO on Linux OS, but settings need to be tailored with GPO or at least with different users. If not well designed or managed, User and Administrator privilege separation for users/system administrators on a Windows OS can be painful for both sides.
