We have a client who we want to put on a contract that is basically "all you can eat". I am however worried about the bosses wife who likes to have domain admin access, and likes to play around in active directory.
Do you have some kind of provision in the contract that you can charge them a peanalty fee if they go playing?
If the client really wants to have this options, put on some security logging. Then by contract warn them for the risks and no responsibility if it is their own fault. The logs will be there as proof...
thats what I should do.
However, I really would not have somebody 'playing' to have too much administrative rights.
We deal with mainly media companies, tech savvy web designers and SEO firms. They all have their admin rights, I can't think of one that doesnt. The reality is that playing gets boring after a while and work takes over. Deal with issues as they come up and make sure your reports, which go to the management each month, make clear issues caused by the user f******g about. The management will be more interested in them wasting time with their pc than with you wasting contract time, which is completely understandable, but they will then speak to the end user and it will stop.
Alternatively have a list of apps you just dont support (or a list you do) as we do for one client. They can do what they like but if it's on that list, we don't support it.