In my previous post I posed a problem where all the users were in the domain admins group and asked what dangers this could pose. The responses included the fact that removing people from the domain admins group could cause issues with programs running on the local desktop if the previous setup relied on the administrative rights to allow users to be an administrator on the local pc. This is a correct statement, but there is another gotcha that has yet to be revealed.
From my analysis of the network (after the gotcha was revealed) it was discovered that the previous administrators had been lazy and actually added everybody to all of the groups in the domain so they wouldn’t have to worry about people not being able to do things. I removed them all from the domain administrators group to lock down security (they would need to be in the power users for some old applications to work)
So now you know all the relevant details that may lead you to the gotcha, what do you think is the problem?