Users with local administrator rights?

It's a huge liability.

Removing local administrator rights can mitigate the risk of some endpoint attacks, but not all. For more effective endpoint protection, organizations should employ a combination of privilege management and application control.

This CyberArk Viewfinity eBook explains:

Why removing local administrator rights combined with application control is a best practice approach.
The role of application whitelisting, greylisting and blacklisting in endpoint security.
How to improve your security posture and manage a least privilege environment.