CIS benchmark or NIST controls vs Microsoft recommendations on domain administrator accounts?

[https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-f--securing-domain-admins-groups-in-active-directory#step-by-step-instructions-to-secure-domain-admins-in-active-directory](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-f--securing-domain-admins-groups-in-active-directory#step-by-step-instructions-to-secure-domain-admins-in-active-directory)


Can anyone map a CIS control that maps to the link above that recommends setting up active directory group policy to block domain administrator accounts from logging into workstations and servers that are not Tier 0 assets?

Deny access from the network

Deny log on as a batch job

Deny log on as a service

Deny log on locally.

​

This is beyond just principle of least privilege where you avoid giving accounts more rights than they need. So, …

accounts benchmark cis controls cybersecurity domain microsoft nist nist controls recommendations