It’s common that you see in the local administrators group of a laptop or pc. That the domain users are added to it. Well some security issues could exist.. Like other domain users can run program’s on your computer while your are logged in.
This issue you could change to Authenticated users. ( this group will not be shown in the search option of the computer when you want to add this user group to the local administrators group. )
What you have to do is remove Domain Users from the local administrators group and use the next command to add the Authenticated users.
Net localgroup administrators “authenticated users” /add
You could test it and it should work that only the local user can changes computer settings while he is logged in to the computer at the moment.
Lots of of guys write about this subject but you said really true words.