Has anyone thought about or asked about the idea of AD based user groups for administration access?
The idea would be to have AD groups for full Admin control and another for Read-Only admin access.
The users would be added or removed in the AD groups and an administrator configuration would be built for the AD group not the individual users.
The AD groups can be managed for who is in there and have rights. There could be risks but also allows flexibility in Admin control.