Hacker accesses some legacy application that verifies the user's credentials against LDAP. Maybe it's payroll or something. Hacker logs passwords until someone who happens to be a org-wide local admin (or worse yet DA) wants their paystub. Hacker now has admin privileges.
(Also, if UAC settings are turned down, that might mean the UAC prompt isn't on the secure desktop, and any malware can thus trivially elevate itself if your everyday account is an admin... etc.)
(Also, if UAC settings are turned down, that might mean the UAC prompt isn't on the secure desktop, and any malware can thus trivially elevate itself if your everyday account is an admin... etc.)