I noticed one of our domains has a user that logs in regularly with his domain admin credentials.
I have always known this to be a bad idea, but hoping some one can point out specific examples of exploits, problems, security flaws, etc that could occur.
To strictly answer your question, there's always good old mistakes with
rmordel. Mistakes with those tools are not fun. I (ahem) have a friend who may have accidentally shut down a server when I -- errr, he -- meant to just logout.But it's not a bad idea if the person legitimately needs those credentials. I log in with mine many times a day, but as a sysadmin, I need them all over. That said, I don't need admin credentials to read email and browse the web.
If you're in a regulated industry (PCI DSS, SarbOx, HIPAA), you may be required to separate your duties out as much as possible, so an admin can be putting the company (and possibly him- or herself personally) in legal jeopardy. Frankly, that's what finally got us over to being better with our admin credentials.
So the real takeaway, I believe, is to find out why the user is using the domain admin credentials. If the user is creating resources, installing software, etc., then perhaps that's what they need. If you have the time, you can always delegate out lots of AD individual privileges -- we let our helpdesk guy join PCs to the domain and change passwords, but that's about it. But just logging in with domain admin credentials, if you're an admin, doesn't necessarily mean there's cause for alarm.
No one should have their every day user account be a "domain admin" account and no one should have an every day user account have "administrative" access to more than a handful of machines.
Why? Worms, for one. Get infected by a worm and the worm may try to infect every machine on the network through administrative shares - if you're a domain admin, that means EVERY MACHINE - WORKSTATION OR SERVER - could be SERIOUSLY infected because you (or the person(s)) in question are too lazy to use RunAs or right click an app and select "run as administrator".
That would be the BIGGEST reason I can think of why it's a bad idea.
Some companies may create "Service Technicians" groups and put those groups in the local admins group of all workstations so the service techs always have appropriate access without having access to servers - that's great - BUT, even the service techs need non-privilaged accounts.
Make the users log in as their "every day" accounts and give them admin accounts for when they need to do something. If you must, give them admin rights on their local laptops and desktops that they REGULARLY use, but not all systems. Then don't let them access printers and other "every day resources" as their privilaged users, only as their every day users.
Convincing people to follow the rules can be difficult - especially when they are smart (I can think of a couple of ways around my own recommendation off the top of my head), but if even half the IT staff follows the correct procedures, then that's a potential 50% reduction in problems.
Sorry to resurrect an old thread, but there's an issue that wasn't covered here. If a user isn't domain admin, then to perform duties which require domain admin privileges, they're going to have to log in with a shared account. This, in itself, is a violation of many regulatory issues related to audit trail and identity management. With UAC in 7 and 2008/R2, all actions of a domain admin are logged whenever they elevate to the "real" domain admin account - your normal account is only nominally a domain admin. So unless you start a command prompt/explorer window/etc explicitly with "Run as Administrator", there is no risk. And if you do - it's logged.