Users are part of a domain, so are their computers, on which they are **the only user**. Users are part of the Local Administrators group
What are the actual risks this setup poses?
# Rationale for the question
The users are the only ones that work on the computer, the only data available there is one they either have locally or to which they have access through shares.
An attacker can have (as far as I can tell), the following intents:
– stealing the user data → being administrator does not change anything, the data is the user’s anyway
– have a persistent presence on the computer to use it as a bot or for lateral movements → being an administrator does not change this (you can set persistence through user mechanisms such as programmed tasks, and you can run services (programs that communicate out or allow communication in) in the userspace
– accessing secrets available to administrators of the machine only, such as authentication tokens of other users (including global administrators) via mechanisms such as mimikatz → this is indeed an issue, which can be mitigated either via CredentailGuard, or generally via proper domain administration (separation of duties, MFA, …). But yes, this is a problem.