Techniques are shared to find & reign-in LOCAL ADMIN accounts in this informative ISC article:

https://isc.sans.edu/forums/diary/Finding+Local+Administrators+on+a+Domain+Member+Stations/24876/

Local Admin used to be a common thing, back in the early XP days when Windows Security was new.  It was common back then to see everyone’s AD account have local admin on their own machine, so that they could do things like update the clock, install printer drivers, or install games when they took their laptop home.

Sound familiar?  Well, those days are gone (or they should be).  In 99% of cases, you absolutely, positively do NOT need local admin for anything on a domain member computer (especially if it’s not a server) that’s administered by IT staff.  You might need an extra right here or there, but even then, it’s very likely that you don’t.  Windows 10 and even Windows 7 both do a good job without giving folks admin rights.  (We won’t talk about that dark Windows 8 detour that nobody took, but W8 does just as good a job on this score)

What local admin does give you is rights that you shouldn’t have, to perhaps install malware that might then access system files that nobody wants changed.  And if you don’t use LAPS, local admin on one station will likely give you local admin on ALL the stations, which from a malware point of view is as good as domain admin in lots of organizations.  So let’s get on with it – to find local admins across the board, you’ll want something that looks like this: