Re: Group Policy restrictions for Local Admins

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 05/27/05 

Date: Thu, 26 May 2005 21:11:20 -0700

The strategy of granting them everything but then find ways to
remove and/or cripple what is determined to be bad for them to
have is, well, a fundementally flawed approach.

For it to actually be (somewhat) workable would mean that one
is a few steps ahead of them, knowing of and having blocked
the next thing that is determined to be bad for them to have.

As Robert summarized, if 99% are clueless then they really
should not have that sort of capability.

Instead, it is IMO better to define what actually are their needs
and then frind ways to work up to having those entirely satisfied
but without granting excess.

What is very strange in your posting is that you are seeking ways
to throttle their ability to install software. This is perhaps the number
one or two reason cited as to why excessive grant of admin has
been given to the general user. 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA,  MCSE W2k3+W2k+Nt4
<kenw@kmsi.net> wrote in message 
news:39nb91ld4e9rnm1i5lfbff43ipetfqd3mq@4ax.com...
> Maybe this is a lost cause, but it's worth asking.
>
> It should be possible to use Group Policy to restrict that ability to add
> and remove software -- or, alternatively, restrict what software will run
> -- for people who have local admin rights.  I'm looking for ideas on how
> best to do that.
>
> Granted, people with local admin rights could, in theory, do anything they
> want with "their" PCs.  In practice, however, 99% of users would have no
> idea how.
>
> /kenw
> Ken Wallewein
> K&M Systems Integration
> Phone (403)274-7848
> Fax   (403)275-4535
> kenw@kmsi.net
> www.kmsi.net