The company I work for has grown quite a bit over the last few years. Three years ago our locations were linked via site-to-site vpn's, a domain was created, and all users and computers were joined to that domain. We are a specialty company and most of our users are engineers or technicians that need the ability to install software, so all users have been setup as local administrators.
I started with the company two years ago and immediately pointed out the huge security problem with making users local administrators. The main problem is that all users can browse admin shares on all other computers, especially the executives' computers.
Users still need the ability to install software, but how can I lock down the domain to prevent users from browsing admin shares on other computers in the domain without stopping them from installing software?
Is there a white paper or best practices paper that I can use as a guideline implement a security policy?