Transition away from Domain Admin only account

Solution 1:

I'm going to take the opposite tack as @TheCleaner.

Those Domain Admin accounts' password hashes are probably laying all around your network, just waiting for a pass-the-hash scenario. Because of that, I'd recommend you remove those accounts from Domain Admins immediately, and start using them as limited users. (You should still change the passwords, too.)

This method also has the distinct advantages of not requiring any profile "voodoo" and, hopefully, not changing any permissions on resources like home directories, which should have had the user named anyway. This preserves Excahnge mailboxes in-place, too.

Create new Domain Admin-member accounts with logon restrictions limited to only the Domain Controller computers. These accounts should never be used for anything other than logging-on to Domain Controller computers to limit the exposure of their password hashes.

This is going to be a tough transition, and you're going to run into things that were working on client computers only because your user accounts were implicitly members of the local "Administrators" group. You can probably make this pill a little easier to swallow by using another group nesting (say, "Former Domain Admins") to give these accounts local Administrator rights. Eventually you'll want to move away from that, too.

Solution 2:

Here's my quick recommendation...since you can easily work "backwards" at this point to get what you want.

  1. Rename the existing accounts in AD to something like "Mark-Admin". Change their display name and user logon name (username). The SID will stay the same so it's similar to having someone go from their maiden to married name in essence. All permissions, etc. everywhere stay the same.
  2. Create each of them new low privilege accounts now called "Mark" (whatever their old normal username was that they were used to using). Give these accounts permissions to their Home folder and/or whatever else permissions this normal account needs access to. You'll also need to transfer over Exchange/email system information (email addresses, etc.) from the old to this account as well. Keep in mind that their email address is likely used as login information for O365 or other portals if you aren't using SSO.
  3. Remove any permissions that "Mark-Admin" no longer needs access to, if any.
  4. Use a tool such as ForensIT Profile Wizard on their workstation to migrate their profile from the old SID (now Mark-Admin username) to their new SID (Mark)...giving them back their desktop/profile/etc. as if they'd always used it on that account.
  5. For logons/authentication portals that didn't offer SSO (possibly your O365, Sharepoint, etc.) then you'll need to update these somehow. For instance with O365 if you aren't syncing with AD, then you'd need to update it directly, either creating a new account or modifying the existing account's rights. This will be based on your setup. For example, if they are currently signing in with email address then that address would obviously transfer to their low privilege account (Mark) and you'd need a different address setup for Mark-Admin.
  6. Profit