The best thing that could happen to Windows is a user-privilege level where instead of providing a UAC prompt to the user when a program tries to elevate, the UAC daemon instead sends off a push-notification. The "real sysadmin" (e.g. nephew) would then install some app on their phone, which will catch these notifications and prompt them to remotely approve/deny the elevation requests. Or maybe even just make it non-interactive: default deny unless they've given an explicit elevation authorization in the last 30 minutes. "Phone me when you want something installed and I'll enable it." Sort of like a remote version of wi-fi router WPS pairing.
(Obviously, you can also build this for corporations, where the notifications are emails and managers can approve software installations on workstations and such from their email client. But corporations already get the benefit of "managed app stores" for frontloading software approval; they need this much less than individuals do.)
(Obviously, you can also build this for corporations, where the notifications are emails and managers can approve software installations on workstations and such from their email client. But corporations already get the benefit of "managed app stores" for frontloading software approval; they need this much less than individuals do.)