"And how do you stop helpless desks turning admin running state on as a 'fix' for all sorts of bugs they have neither the training nor the budget to fix properly"
The two common methods I have seen are audit admin groups and fire anyone that makes unauthorised changes and secondly to regularly reset the local admin group to default settings via group policy.