Problem solve Get help with specific problems with your technologies, process and projects.

What are elevated privileges and why do they make my systems vulnerable?

Concerning your response to How can I stop administrators from taking their computers out of the domain?, can you please clarify and give examples of what you mean by "think of the elevation of privilege attacks that might provide them with elevated privileges on other machines (including servers and domain controllers)"?
If an attacker is able to gain access to LSA secrets (possibly by using lsadump2), then they might discover the user name and password for a service account. Accounts that are used to run services may have privileges beyond that held by the user of the compromised account and maybe domain-level accounts. Armed with the information, the attacker can log on and now have those privileges. If the account is a domain account, his privileges extend to many computers in the domain, not just the one he was able to compromise.

Dig Deeper on Windows 10 security and management