By now I would hope that, unless there were extenuating circumstances, all users (including administrative users) use a low-level account for their daily activities and raise their permissions to perform administrative tasks.
Obviously domain-based tasks need to utilize a domain account, but software & driver installation can be done via local admin.
In thinking in terms of preventing lateral movement through a network, is elevating to a domain or local account the safest option?