...
By default, all users will only have User status on their University-owned Windows PCs. IT recognizes there are some faculty and staff who need to perform tasks requiring elevated permissions. To accommodate these individuals and provide this functionality, IT will create an additional username.admin account for these individuals on a case-by-case basis with membership in the Local Administrator group on selected PCs.
To achieve this goal, we will use Group Policies to remove all existing membership in the Local Administrator group and add the following security groups:
...
Users who are granted the username.admin account with elevated privileges must recognize these accounts are only to be used to provide credentials for tasks requiring such elevated privileges, and are not to be used for normal tasks like internet browsing or file/print operations. The passwords of these accounts will not be linked to the AMS or any other password management services. These accounts' passwords will still expire at a regular 185-day interval, and should be managed through the native Windows password change functionality.
Determining which users will be assigned username.admin accounts with elevated privileges will be a joint function between IT staff and the department's director, chair, or other employee delegated to serve in that role, and must be based on a demonstrated business need.
Users who are not assigned accounts with elevated privileges and need software installed on their PC will need to:
...