"Stephen M" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We have a network of Windows 2K and XP pro workstations which are members
> of a Win2003 domain.
>
> When we migrated first set up this domain, we made everyone regular users.
> Specifically because we did not want people installing programs. Cleaning
> up spyware infections was getting to be a full-time job.
This will not in general prevent installation of programs so it may
not even do what you wanted.
You pretty much have to use a tedious combination of Software
Restriction Groups AND careful NTFS permissions to prevent
installation of programs.
> It solved the spyware problem, but locked people out of some functions
> that they had a legitimate need to get into. Specifically, laptop users
> need to occaisionally mess with their network settings and power options
> would be nice as well.
Paul's idea (this thread) seemed helpful for the network portion.
> Ideally, I would like this to allow this via the domain controller rather
> than by administering individual machines.
>
> Could someone point me in the right direction for accomplishing this?
You can grant rights to do certain task, or even permissions on Files
(but almost no one does that since it is so difficult to get correct) from
a GPO on the DCs. You can also put people into well-known local
groups (like Power Users) from a GPO by using Restricted Groups
(run the GPEdit from a workstation or non-DC server to see those
local groups however.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
> Thanks,
>
> Steve
>
>
Similar Threads
