Great advice, Indy! Good stuff. Just a couple of questions.
The first things to do to improve your compliance is to ensure that all users have non-admin accounts for regular use, and do not have access (in general) to admin passwords. This protects the practice and the machines, as both internal and external attacks are limited if the user does not have admin permissions.
I am assuming you mean local admin. Of course, you would never give a regular user a domain account. I know I got a rootkit virus that had the user been logged in as a non-local admin, it probably wouldn't have taken hold. I did have all my users as non admins, but it can get frustrating when you want to quickly do something that requires admin rights (local) and their is no Run As option. But, it is the safest way.
In use - if each user has their own credentials, and they don't share, then in the event of a staff change you just deactivate one account. Don't leave a computer logged in as a practitioner without locking the screen.
Are you referring to logging into the domain and authenticating with the server where users can be activated, deactivated or deleted?
Thanks.
