@AC re: Horse-shit
Of course, when it comes to social engineering, UAC and a popup sudo are no different, and are both as easy as each other to subvert.
But most users, and I suspect you as well, probably have never used a Linux system where your ID is not only not root, but is also not in the administrator group. It's just not necessary for most personal systems, and not being able to run sudo or having a root password makes it very, very difficult for an *ordinary user* to become root or touch system files.
But it's all about trust, as I said in a previous comment. If your trusted system is compromised, then this can propagate throughout a whole environment, even if Active Directory is involved. And Active Directory only protects a system while the group policy is available. Although I do not know, I strongly suspect that if you can get into a Windows system configured to use group policy using an OS weakness, like all systems, it will be possible to *TURN OFF* the requirement for the policy, making it just another Windows system with all of the inherent and widely publicised problems that Windows has.
I also read that often the group policy often just turns off the UI to various things. I have found out myself that it is sometimes possible to run the CLI utilities on a locked-down Windows system when the group policy prohibits the windows utility. This makes the security no better than "security by obscurity".
I suspect by your comment of "nothing (and I mean *NOTHING* is more secure than a properly configured AD and correctly-configured clients" (sic) that you have not looked into SELinux or AIX with RBAC, both with Kerberos turned on, which both implement service and object based tokenised remote authentication which is very similar to the Active Directory support of Windows. In fact, Active Directory is really an extended LDAP directory service with Kerberos authentication (if configured) to access to the directory. LDAP and Kerberos were both originally implemented on UNIX.
AIX had a kerborised command authentication system in the SP2 pssp cluster control package called sysctl over 14 years ago, and UNIX systems that implemented them also had a similar features as part of DCE and AFS, well before Microsoft implemented Active Directory.
I often comment that the Owner-Group-World access model in UNIX-like OSs is one of their weaker features. But where this simple model scores is that it is easy to understand, and a well implemented simple security model can be much more secure than a poorly implemented complex model. You probably have never had the opportunity to try to break out of a well implemented Linux system where you are an ordinary user, but I assure you that it is possible to make a system perfectly usable while being very, very difficult to break into.
Most ways that UNIX-like systems are compromised involve the wet-ware that administers the system, and I think that is exactly what has happened at linux.org, and could just as easily happen to a Windows system, even with AD configured.