Clayton,
I your domain user account objects need to be members of the local Power
Users to run the various CAD programs then it looks like you have a dilemma.
I would guess that they would need to be members of that local Group. This,
on the other hand, poses a problem for you in that you do not want your
users to be able to install software! As a member of the local Power Users
group they are able to install a lot of software.
One thing that you might want to explore is sysmon and regmon from
http://www.sysinternals.com. These two small applications will monitor
where failures are taking place ( specific directories or registry entries )
so that you can give the user the required permissions for that one folder
or registry entry. I do not know how involved that would be for you. It is
usually a trial and error thing so you might need a bit of time to tweak it
so that it is just right. And you will want to document this completely!
There is nothing more painful than reinventing the wheel again and again and
again!
As to making it impossible ( or, at least, more difficult ) you might want
to look at Software Restriction Policy. This will allow you, the Sys Admin,
to deny a whole bunch of executables ( but they can be renamed by the
users! ).
Here are some links:
http://support.microsoft.com/?id=324036
http://support.microsoft.com/?id=310791
http://www.microsoft.com/resources/...standard/proddocs/en-us/SRP_create_policy.asp
http://www.windowsecurity.com/articles/windows_2003_restriction_policies_security.html
Please note that these articles focus on WIN2003 and WIN XP Pro. You have
not specified what NOS you are using. I have been operating under the
impression that it was WIN2000 on the Server side and WIN2000/WIN XP Pro on
the Client side. I should have asked earlier..
Also know that you can use NTFS permissions to help abate this problem.
Lock down the C: and C:\Program Files so that 'Domain Users' simply have
read access. Please note that there would not be any share permissions
needed ( well, for starters, you are not sharing those folders and,
secondly, share permissions do not play any factor when accessing the shared
resource locally ).
HTH,
Cary