I'm checking the 70-744 videos and they are great, I'm learning a lot! I have a real world and also best practice question regarding administrative privileges on users workstations.
For example an IT Helpdesk user needs Admin privileges sometimes to install a specific software or make a specific change. I know that we shouldn't use Domain Admin accounts. With these part of the videos I checked a User Right that doesn't cache passwords.
So, and without using LAPS (it might be the best option in reality, I didn't catch up those videos yet [I'm going though the order of the official book of MS]) should I have a account with delegated privilege for administrative tasks and don't cache the password?
JIT and JEA is the way to go, but on a real world, going step by step, is this a first good approach? Also, there is an option to clear the already cached admin passwords on the workstations?
Thank you in advance for the help!