Suppose you have two groups, "Workstation admins" and "Server admins", neither of which is in "Domain admins", hence they don't have control over Active Directory; neither of them has admin rights on any domain controller, and neither of which has admin privileges on the other group's machines.

If a workstation admin ever logs into a server, or vice versa, then that group can potentially gain the others' passwords. This is because, with local admin rights, you can take control of a machine remotely and use the other users' permission to do whatever your want.

Slarty