We currently have a user vbs startup script that adds the AD group domain\LocalAdmin to the local Administrator group for the machine. This script command gets run when an IT admin joins the machine to the domain the first time and logs in (since any standard user would not be able to execute a script adding a user or group to the administrator group). This was set up so that we could centrally grant and remove administrative rights to select users without visiting their machine. An unforseen consequence of this is that members of the AD group LocalAdmin has access to administrative shares on all remote machines. So if a user knew the name of any computer on our network they would be able to browse the root of c by going to \\computername\C$
We want members of LocalAdmin to only be the admin of the machine they are sitting in front of. I know there are ways to disable admin shares but am concerned about doing this because it seems as if it turns off features that are essential to IT administration.