Re-blog frοm Source
It is always good to remember that the Administrators group provides full control over the Domain Controllers and is just as critical of a group to keep users out of.
In the Domain Admins group, we all have seen accounts for monitoring, PowerShell queries, etc. Those typically only need WMI access to pull information to monitor/audit. By following the theory of least privilege, it allows you to still give access needed to watch your infrastructure, without potentially compromising access.