A.. Credential management: Credential Management is a proposed application programming interface (API) under development by the World Wide Web Consortium for standardizing aspects of how password managers used by web user agents (web browsers and other applications) create, store, use, and modify username and password combinations for logins, in addition to the management of "federated" credentials (such as single sign-on tokens) by user agents.
B.. Group policy management: Group Policy Management can determine how the account is to be used, what level of access, etc. The fact is that the user account is being used, and group policy will not stop the account for being used.
In addition to that, there is no in-built GPO that would disable stale accounts. One could use use dsquery to list users who have not login in the past 30 days and disable the account.
C..Acceptable use policies: Clearly the user already knows what the Acceptable use policies are, and is doing his/her uttermost to circumvent them by (a) using a stale admin account and (b) on a seldom used server so that (c) his her activities will go undetected.
The "best" answer to my mind is to ensure that accounts are set to expire.
D.. Account expiration policies
An even better answer would have been "account auditing", running dsquery to identify un- used/stale accounts, then disabling them and moving them to a different OU
https://www.linkedin.com/pulse/cleaning-up-obsolete-user-computer-accounts-from-active-ajit- singh/
https://www.lepide.com/how-to/manage-inactive-accounts-in-active-directory.html

Explanation
A penetration test, or pen test, is an attempt to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities.