Separate user functionality from system management functionality.

This requirement has two primary objectives. The first is to prevent employees who don't have system administration responsibilities from having admin rights. The second is requiring admins to use their admin accounts when performing system admin functions. Admins are to have a regular user account and admin account.

Review which users have administrative privileges. Determine if those users require administrative privileges. If they don't, revoke their administrative privileges. For the users that do require administrative privileges, create them an unprivileged user account and an admin account. Document a policy requiring this. Only allow their admin accounts to carry out system management functions. This can be accomplished using user security groups. Only allow system administrators to access systems and servers that deal with your IT infrastructure. Examples include limiting access to active directory servers and limiting access to the admin interfaces of network devices.