Okay, we have identified our privileged users and determined what rights are needed for them to do their jobs. Now we need a way to enforce these new roles.
Active Roles is an AD proxy. It will sit between the user and Active Directory and determine if the user should be performing the task or not. Since the Active Roles service account is actually making the changes, the number of privileged accounts in AD can be reduced dramatically. This will also give you the ability to provide workflow for specific tasks that you need to protect (like adding/removing users from the Schema Admins group).