An Administrator account is someone or something can can perform a change on an object. If you are enacting change on a user, group, computer, organizational unit, or any object on a domain, you need an administrative account.
First step is to figure out who in your environment should have an admin account. When does anyone need an administrative account? How can you find administrators hiding in your domain? What standard can you define that forces a policy for people to use an administrator accounts?
The idea of an administrator account, an account used to perform administrative actions, had evolved. A frequently adopted model is for people to have a separate administrator account for their domain admin permissions. (If this model is not already in place in your environment, it should be adopted ASAP.) Where this model is a good first step, there is always room for improvement. Who all on the environment should have both a regular user account AND an administrative account?
If you answer yes to any of the following scenarios, the person needs a separate administrator account to perform work functions.
Can the person in control of the user object do any of the following:
Can this person perform these computer actions?
Can this person perform these actions to any group?
Can this person perform these actions on organization units or containers?
If the person answers yes to any of the items above for users, groups, computers, or containers, then this person needs a separate admin account.