Domain members should be managed by the domain.Ī suggestion from a class I wrote & taught over a decade ago - Desktop Administrators as a group with local administrative permissions on client workstations. If you have desktop users with local admin permissions, fine - but do it on purpose, from a central management point, and don't mess about with one-sie two-sie local user accounts. Please remember users get assigned to groups, groups get assigned permissions. RESTRICTED GROUPS are your friend in defining permissions granted through membership in machine local security groups. What do they teach in Windows Networking classes these days? Geeze, you guys all logon to workstations with Domain Admin privileged accounts? Are you CRAZY? What if you need to fix a compromised workstation, you're really going to put privileged credentials in?