I was surfing around and stumbled into Chris Henley's blog. In his post at http://blogs.technet.com/chenley/archive/2006/07/13/441642.aspx the question is posted asking how to disable ALL of the local admin accounts on the various machines throughout the network. Smartly, Chris points out a GPO setting that will do this although I must be getting old because I cannot read it. Chris also mentioned Jesper's blog talks about this. So I dug around on Jesper's blog and sure enough, http://blogs.technet.com/jesper_johansson/archive/... talks about disabling the local admin account.
However, I think the context was different and I'm going to add my two cents to this discussion. Jesper said to disable the local admin because he wants anyone that needs admin privilege, to have a unique admin id. This is good for identity purposes so that you can tell which admin is doing what. If multiple people use the same admin id, guess what happens to reasonable doubt in court? So Jesper's suggestion is a very good one.
In the context of the question posed to Chris, it sounds like they want to disable all local admin's but still manage the machines with domain admin's. Sounds good on the surface.
What happens when there is no network connectivity between the machine and the domain? No administration. What happens when the machine is a laptop and is far from the mother ship and something happens that requires admin privilege? Again, with no network connectivity, the admin's can't RDP to the machine, and someone sitting at it cannot login to the domain.
So think long and hard about the scenarios where you need those controls. In a campus setting with a dense population of users that don't travel, the domain model works well. In a mobile workforce where some self service might be appropriate, I'm not sure I'd lock those machines down that far.
What do you think? How do you handle super users?