We have a broad range of users from developers and testers to Desktop Support, etc. Apart from security groups which allow domain level access for help desk and users, we have the need for local admin rights on the machines.
I know that best practice is to determine what access/permissions are needed on the local level and grant that access without the use of local admin rights, however, we are not there yet.
We are planning on using a bang account (second account) such as sfarazmand! We want to limit domain access as well, so that users are not using the admin account as their default.
The question is which is best practice; to use a domain account or a local account. What are pros and cons of each