You should consider carefully whether users require administrative rights on their workstations, and if they do, a better approach may be to create a separate local account on the computer that is a member of the Administrators group I am working through, and find this blurb about user administrative rights on local workstations: I have found the NIST 800-53 publication that speaks about least privilege approach (specifically AC-6(2)), but I am having difficulty finding supporting information from Microsoft. I am trying to find 'backup' materials - reliable sources, best practices, etc., that support my effort.
They do not have the local Administrator account - it's rotated periodically by LAPS.
My users domain accounts are members of the local workstation Administrator group.
We're embarking on our Windows 10 upgrade in the coming months, and I'm trying hard to put my foot down about removing local administrator rights from my end-users.
