Phil said:
Does Microsoft have a best practice for adding users to the local
admin group of the machine? Do you recommend doing this and then just
locking the machine down with Group Policy?
Think about what you just said..
If you make the user a local adminstrator and then "lock down" the machine
with Group Policies - what have you accomplished? The user is a Local
Administrator. If they want to undo what you did - they can. The excuse of
"they won't know how to" is saying you don't know how to make them work
without giving them full privs...
There is no good reason to make a normal computer user an administrator on a
machine. Lots of excuses to - but no good valid reasons in the normal
scheme of things. Yeah - there has to be a user that is an administrator.
That user does not have to be the only/main user of the system.