The ADMIN account must be protected at all times, so that ADMIN authority is restricted to only the truly vital needs.  Otherwise this group of users can better executive malware based scripts & macros in an unblocked manner — as this informative SANS ISC article documents

QUOTE:   Today, I’d like to discuss a few of the Critical Controls, and how I see real people abusing or circumventing them in real companies


1. Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.

2. Block all email attachments entering the organization’s email gateway if the file types are unnecessary for the organization’s business.

3. Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not Internet browsing, email, or similar activities.

So, what could possibly go wrong? … let’s count the ways

1. Remember, these are admin folks. So they’ve got the rights, and they also get impatient with extra work. So, the natural inclination is to exempt themselves – maybe create a new group with admin rights, and move their account into that group. That gives them admin login to workstations, and also gives them internet from the jump hosts.

2. You’ll also see at least some of those folks “Connect” that admin account to their exchange mailbox. That gives them email from their admin accounts …

IMPACTS:   voila! Now they are logged in all the time as admin, and checking email as admin. So now, when that user receives a Word or Excel file (or whatever) with a macro in it, then open the file and run the macro, that macro is running as (in this case) Domain Admin. Which of course means that (yes in real life) the customer’s Domain Controller got ransomwared (along with all of their other servers actually).