Local administrator accounts on computers wield considerable power and must be limited. It is common for domain users to have local administrator rights or access to the local administrator account itself. It is common to use the same local administrator password across the enterprise. To protect the organisation, disable the local administrator accounts if possible or at the very least change the default name, use unique, secure passwords, and restrict access unless necessary. Assign separate administrator accounts to users if needed for temporary use and enable auditing on all privileged accounts. Underpin this with management supported policy. Remember non-windows systems.