Techniques are shared to find & reign-in DOMAIN ADMIN accounts in this informative ISC article:

https://isc.sans.edu/forums/diary/Where+have+all+the+Domain+Admins+gone+Rooting+out+Unwanted+Domain+Administrators/24874/

Ever been in an internal security assessment or penetration test, and need to list all domain admins? First of all, why would you need to do that?  All to often, you’ll find that way too many people have domain admins – you know, “just in case” … Examples like:

* developers – who needed local admin on that one server, that one time, but we gave them domain admin and then forgot
* developers, because don’t all devs need domain admin?
* IT VP’s and dev managers, because they used to be admins
* the CEO, because they insisted
* Steve, because Steve needed to update the timezone or install a printer at home, and the helpdesk mistakenly gave Steve domain admin rights for that
You get the idea.

So, aside from the people that are actual members of “Domain Admins”, there are lots of groups that have elevated privileges in a domain, so we’ll need to enumerate all of those too.  And you can put groups into groups, so we’ll have to recurse through that mess to get the full list of users.  This can take quite a while in the GUI, but it’s only a few lines of code in PowerShell: