Take the whole notion of administrative privilege. Note that the term isn't administrative God-given right or administrative birthright. Sometimes, that privilege has to be taken away -- or not granted in the first place -- to protect the network from security breaches or to keep people from messing around with things they shouldn't be messing around with. But try to tell that to a user who believes they simply must have administrative...
privileges because, well, they must. Worse yet, some applications won't run in user mode, so there's no choice but to let them operate as an administrator.
Security consultant Steve Friedl, who spoke recently to SearchWin2000.com on the subject, had some pretty good advice to offer.
First, if you have the ability to revoke privileges for an application, be sure to test things before taking action. You don't want to set in motion unintended consequences. Next, take the time to explain to users why you need to reduce their privileges. With understanding comes acceptance; with ignorance comes a hissy fit. And finally, complain to your vendors if their software doesn't limit user rights. They won't change what they don't know -- or hear -- about.