What kind of questions should be asked when determining whether there is a valid business case for an AD account to be added into the domain admins group? Or on the flip side what kind of valid business cases are there for putting a user in a domain admins group, i.e. for what purposes is it necessary. Which of your accounts/staff of are domain admins and why?
Also is there anyway to see when an account became a member of the domain admins group? i.e. whether this was part of the account creation (keep hearing about a “primary group”) or at a later date, elevation of privilege etc.