I agree with Drew. However you can try by using restricted groups which will
enforce membership of the group configured as a restricted group at periodic
intervals which may be ninety minutes by default [which you can change]. You can
also restrict domain users to what mmc snapins they may run on their own machine
such as Computer Management and Local Users and Groups, and initially block
access to the command prompt under \user configuration\administrative
templates\system. Of course if they unjoin their machine from the domain, no
Group Policy from domain/OU level will apply.An average user may not even know
they are an administrator and restrictions may inhibit them, however a
knowledgeable and determined user will figure it out. I only mention all this
since it may be worth a try if you must make a user an administrator on their
local machine. Make a Ghost image or such of their machine before making a
change and if they breach your trust take away that power. --- Steve
Drew Cooper said:
Not really possible. Administrators have (or can get) complete control over
their machines.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
Joe said:
I have a win2k native mode network running active
directory with win2k clients. I would like to give a user
Local Admin rights to his box without giving him the
ability to add people to the Local Administrators group.
Is this possible and if so how?
