Moving To A Least Privileges Environment: A Step By Step Project Plan - Chapter 2: Identify User Accounts That Have Local Administrative Rights
There are a number of benefits when organizations remove local administrator rights from end users and move to a least privilege environment on the desktop. As one of the first steps in getting started with organizing and planning for moving to a least privilege environment, it is essential to understand those users who are currently logging on with local administrator rights on Windows systems. The user and group membership information that is in Active Directory (AD) does not directly indicate the level of access each user has on a Windows system. Just because a user is not a member of Enterprise Admins in AD doesn't mean that the user has restricted rights on the Windows desktop.