If someone works as a system admin, and they are part of a group that is added as a local admin to most servers anyway (so they can manage the systems)...
How much more dangerous would it be to have 'domain admin rights'? (which would eliminate the need to have to be a local admin)
Of course, having domain admin rights does mean there'd be some additional servers in the environment that someone could access should their login be compromised.
But I'm trying to gauge the risk of granting a person domain admin rights on their AD user account (which means they do everything as a domain admin, including when they are working on their own desktop machine)
(the jist of the question is, if the user has local admin to many systems anyway, how bad it is to just give them domain admin rights in terms of security risks. This is a trusted employee, so it's not about trust but about what if their account is compromised, would the damage be higher than now?)