Hello everybody

My users domain accounts are in the local administrators groups of their
local XP PC's.
I want to move the domain accounts from local administrators to a group
where they can still install ALL software, change the system time, install
windows updates, and all other user tasks
BUT
that they do not have the right to change the domain membership, create new
local users, add (or remove) users to the local admins user group.

Power users cannot install all software (rising to most software for some
users) so that isn't a solution. Really, it's not.

I believe I need to create a new custom local group on each PC, add the
users domain accounts to it and somehow grant that account enough rights to
do the above tasks, whilst dening them the rights to change domain
membership, etc.

N.B. We (will soon!) have a 2003 domain for group policies, etc.

How do I go about assigning these rights to a custom local group?
How do I automate this for 250 XP PC's?

Thanks in advance

Andy.

What you want to do is not possible. They will need to be local
administrators from your description. Having said that you can use Group
Policy to restrict enough access to even the local administrator to deter
all but the most skilled and determined users. For instance you can block
access to mmc snapins, the registry, the command prompt, etc and use
Software Restriction Policies to restrict what a user can install and run on
there computer though a local administrator can bypass SRP by booting into
safe mode if they know such. Also any .msi software packages can be assigned
or published via Group Policy so that they can be installed by the
"computer" or user even if they do not have any elevated privileges
normally. --- Steve


<andy_cafferkey@hotmail.com> wrote in message
news:%23$Yoh3X1FHA.3300@TK2MSFTNGP15.phx.gbl...
> Hello everybody
>
> My users domain accounts are in the local administrators groups of their
> local XP PC's.
> I want to move the domain accounts from local administrators to a group
> where they can still install ALL software, change the system time, install
> windows updates, and all other user tasks
> BUT
> that they do not have the right to change the domain membership, create
> new local users, add (or remove) users to the local admins user group.
>
> Power users cannot install all software (rising to most software for some
> users) so that isn't a solution. Really, it's not.
>
> I believe I need to create a new custom local group on each PC, add the
> users domain accounts to it and somehow grant that account enough rights
> to do the above tasks, whilst dening them the rights to change domain
> membership, etc.
>
> N.B. We (will soon!) have a 2003 domain for group policies, etc.
>
> How do I go about assigning these rights to a custom local group?
> How do I automate this for 250 XP PC's?
>
> Thanks in advance
>
> Andy.
>
>

Thanks for your reply.

Andy

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:GZCdnWIzNZS8-MfeRVn-rA@comcast.com...
> What you want to do is not possible. They will need to be local
> administrators from your description. Having said that you can use Group
> Policy to restrict enough access to even the local administrator to deter
> all but the most skilled and determined users. For instance you can block
> access to mmc snapins, the registry, the command prompt, etc and use
> Software Restriction Policies to restrict what a user can install and run
> on there computer though a local administrator can bypass SRP by booting
> into safe mode if they know such. Also any .msi software packages can be
> assigned or published via Group Policy so that they can be installed by
> the "computer" or user even if they do not have any elevated privileges
> normally. --- Steve
>
>
> <andy_cafferkey@hotmail.com> wrote in message
> news:%23$Yoh3X1FHA.3300@TK2MSFTNGP15.phx.gbl...
>> Hello everybody
>>
>> My users domain accounts are in the local administrators groups of their
>> local XP PC's.
>> I want to move the domain accounts from local administrators to a group
>> where they can still install ALL software, change the system time,
>> install windows updates, and all other user tasks
>> BUT
>> that they do not have the right to change the domain membership, create
>> new local users, add (or remove) users to the local admins user group.
>>
>> Power users cannot install all software (rising to most software for some
>> users) so that isn't a solution. Really, it's not.
>>
>> I believe I need to create a new custom local group on each PC, add the
>> users domain accounts to it and somehow grant that account enough rights
>> to do the above tasks, whilst dening them the rights to change domain
>> membership, etc.
>>
>> N.B. We (will soon!) have a 2003 domain for group policies, etc.
>>
>> How do I go about assigning these rights to a custom local group?
>> How do I automate this for 250 XP PC's?
>>
>> Thanks in advance
>>
>> Andy.
>>
>>
>
>