Having users to be in local administrators group is sometimes necessary, but it creates security holes for malwares and privacy.
I wonder how others handle with the dilemma for following scenarios which are common at most work places;
You manage thousands of user computers and accounts.
Some users need to have local administrator privilege, for example, they need to install their own softwares, manage, administrate their own computers.
On the other hand, you install multiple agents which need to be protected from being removed, uninstalled by users.
How do you solve the dilemma? Do you give them two accounts, one local user privilege and the other with local administrative privilege?