We've already taken the easy step of removing local administrator rights for our users on their desktops and laptops. But we're wondering what to do with our IT staff who often need administrator rights on servers, desktops, and laptops.
We've tried giving them a normal user account w/o admin rights for the desktop/laptop as well as an admin account which has administrator rights on all desktops/laptops. That works for many things, but not all. For example, you can't run an application as another user AND administrator at the same time. We're already using the LAPS solution to routinely change the local administrator password.
Any advice on a plan for structuring accounts for IT support who are directly responsible for supporting Windows clients and servers?