Getting away from administrator account on Desktop

["sec sam" <secsam () gmail com>]

Hello everyone

Our company uses Novell and login script will substitute the users
login with administrator account is the only one on the local desktop
or laptop. I know this is not a standard practice anymore and am
looking for information on what would be a better strategy.

I am sure you all know the security problems this brings about such as:
Anyone who knows the admin password can walk up to any pc that is
logged on to the network, even with screensaver and gain access using
that persons pc, additionally to the network with that users
privileges.

I bet that over there are more people that know the password than
don't know it. Laptop users need the local admin password because it
must be used when not connected to the network. Not to mention that
the password has never changed.

I am just trying to find resources to help me identify what should be
considered when trying to change this and possible strategies.   I
need to be more knowledgable about this issue in order to even be able
to discuss possible solutions.

Thanks....
Secsam