The way the admin user is added should be changed to create a group and add the user of choice into this group, then assigning the group to the local administrators.
I have only done testing around adding a user into an already created AD group, and then assigning that group to a GPO to gain access to domain controllers and servers. The current way is dangerous and will remove all previous users from the administrators group.
Using this option in an engagement is impossible due to the nature of being detected by removing admins from servers administrators group.
The way the admin user is added should be changed to create a group and add the user of choice into this group, then assigning the group to the local administrators.
I have only done testing around adding a user into an already created AD group, and then assigning that group to a GPO to gain access to domain controllers and servers. The current way is dangerous and will remove all previous users from the administrators group.
Using this option in an engagement is impossible due to the nature of being detected by removing admins from servers administrators group.