> If I take the domain admin out of my local administrators, they can't do
anything. Done.
Back when I did AD/domain support, all domain user accounts got a profile
that included a trivial script to re-add Domain Admins to the Local Admins
group. So this kind of local removal shenanigans laste
Maybe what some of us need to learn from this is that we should never think in
absolutes such as local VS domain users. There are numerous account types and
the overrides to take into account with any OS and they change.
This is more of a wakeup call to brush up on our understanding of permissi
