Posting the last weblog reminded me on a situation which I like to share:
I was at a customer and we were in a workshop defining the roles in Active Directory needed for that enterprise. When we started there were a lot of people/departments which thought it's necessary to be either domain admins or account operators. We told them what they'd be able to break if they are domain admins. Then we went on how assigned GPOs would work if they created objects in the wrong spot, e.g. user accounts in computer ou's or vice versa. We told them that we are able to protect them from doing mistakes while keeping them happy on their assigned roles.
At the end of the workshop it was pretty funny - we were looking at a matrix of rights assigned per role, and they were not discussing anymore "I need those rights to perform my job", they were asking "Do I really need that right? I believe it's a different roles responsibility to take care of this".
Great experience for me, and spread the word out there - stick with the least rights necessary to perform any roles!