Admin account has more privileges than I want most people to have. User account has too few. I generally set my security fairly granularly on my Linux servers, but I'm finding the amount of control I'm given extremely lacking on the Windows servers. Granted 7 isn't a perfect analog to 2008 Server, but I had already registered here before I realized I was on a Windows 7 specific forum and figured it was worth a shot.
The idea is to require administrators to use their accounts to activate the Administrator account and then log in to the administrator account with a different password if they want to affect monitoring, allowing the administrators to administrate but putting another password between them and event logging and such, leaving an extra layer of security in between the administrator's personal account and the true administrator account that has the ability to destroy the audit trail in the event that the less privileged account is compromised.