Re: Like a US drug commercial...
It's set on Domain Admin accounts by default. And members of BUILTIN\Administrators and similar groups. You don't want to set it on normal user accounts, because the only way you can manage accounts with the Admin flag set would be by another account that has Domain Admin privileges.
So that would screw up your account management delegations (since you don't want Domain Admins doing general account operations except in your crappy AD lab).
The best thing by far is to fix up your AD security - don't use the built-in Server Operators and Account Operators groups, and check very carefully how you delegate OU permissions. i.e. don't give your account operations team Full Control to all your user OUs - ensure you're selecting user objects only. And stop logging on with Domain Admin accounts everywhere. Those accounts should only be logging onto DCs, and not directly from your workstations, and only for actual domain-level changes.
Biting the hand that feeds IT
