Working for the federal govt as a contractor, I must say that many things regarding abuse of rights for us boil down to "If you even attempt to do that, it will be logged. If it is discovered, you will be fired, and possibly prosecuted depending on what it is." The key part is "if it is discovered."
So our users have very few rights. Technical users have Elevated accounts in addition to normal user accounts, and AD group membership is used, along with GPOs.
Our site is almost heaven compared to the hospital where I used to work. At the hospital, doctors on the night shift in ER downloaded and installed various entertainment apps - some of which evaded detection by our poorly managed AV at the time. When HIPAA became a buzz word, we tried to remove rights, but it broke many apps. A medium sized hospital (100-500 beds) might have hundreds of apps and servers. Fortunately, over the years, medical software vendors finally heard the complaints and started cleaning this up ... a bit.
But the single greatest obstacle to managing rights in Windows is Microsoft Event Logging itself. What utter fertilizer! A single access attempt from the point of view of an application or user can trigger many dozens of log entries, most of which are useless gibberish. Various vendors have tried to make products that attempt to reverse engineer these entries, but it almost never works except for highly specific situations. There is no N in turnkey auditing solutions, in my experience - they are all turkeys.
Depending on how a user tries to access a file, you get hundreds of entries, and none of them come out and say "at time T, user U on PC P opened and viewed file F on server S." You have to suffer with many unnecessary log entries for the filescans, Kerberos tickets, etc. So you try to trim some of the logging, only to find that some of this is key stuff to reconstruct the chain of who it was, and what their IP was.
Windows itself needs to get a "who, from where did what" concentric logging - not the programmer debugging level logging it has now. Sure, keep both, for those that want it or need it.
And don't get me started on trying to audit changes made via Microsoft GUIs - the most basic need of change management in Windows. It's even worse than file access. So many kinds of objects in different data structures - some in AD, some in WMI, some in the Registry, some in ACLs on objects.
BTW, it would be great if SolarWinds would publish a list of minimum rights needed by which users and groups for all objects. It helps to get Dorothy back to Kansas after her goofy friends (like me) try to help by changing things. There are pieces of what I want in place now - where you can fix some file rights. Keep on that track, SW, it's a great thing. Make it a corporate standard for all of your apps.
=seymour=