In general, there is not much difference on XP between Power Users and Administrators. Administrators have a few extra rights but otherwise, they are almost the same from the perspective of needing to lock down a system. If you are going through an effort to get to least privileged use, I would recommend going to Users, rather than Power Users. If you need to loosen up certain rights from there, I think its better to go that way than to let the user be more privileged than they need to be. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ryan Bannon Sent: Monday, November 24, 2008 8:40 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Local User Account Do you suggest giving people Standard User rights (Power User) or Restricted User rights (User Group)? Here is what we are really looking for and our setup. We don't want users to be able to install software and don't want them to have access to the root of the C: drive and most other folders on the C: drive. They will have access to their folder under Documents and Settings and the temp folders and a couple other to allow programs to run. So they won't have full access to the C: drive on their computer, only read access. I have locked it down using the File System and Registry settings in Group Policy. Ideally we would want them to be able to install local printers, which I know is only doable as an admin or power user. But we would be willing to live without installing printers if the Restricted users group is the best way to lock it down. We have set it to not allow software install and to not let windows installer to work. Any advice would be appreciated and let me know if you need more detail. I tried to be as detailed as I could. Thanks, Ryan From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Monday, November 24, 2008 10:47 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Local User Account It's a good point Andrew. Despite the pure evil nature of letting your users be admin., there are a still a lot of crappy apps (including some from MS) that still require it, or at least a relaxing of permissions. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew McHale Sent: Monday, November 24, 2008 7:42 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Local User Account Ryan, A word of warning if I may. A lot of 3rd party applications require certain levels of access to the computer. For example, our accouting package requires write access to its own installation folder inorder to save temp files. Unfortunately we are like you were with the small company attitude (we total 25 people) and so everyone has local admin access to their own machine (think happy thoughts Darren!). When I tried to take this away from a test user the application stopped working until I gave that user specific write permissions to this particular folder. So, in short, test what will happen if you take this level of access away from your users before you do it company wide. 250 computers all with faulting applications would be a serisouly bad day at the office for you! Andrew From: Ryan Bannon [mailto:ryanbannon@xxxxxxxxxxxxxxxxxxx] Sent: 24 November 2008 15:36 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Local User Account Darren, Very cool. Thanks for your help. I have been working on a new Group Policy for our company for a few months now and I wish I would have found this sooner. I appreciate it. Thanks, Ryan From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Monday, November 24, 2008 10:28 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Local User Account Ryan- Check out the whitepaper on my site about GPP (http://www.gpoguy.com/Group-Policy-Whitepapers.aspx). Its basically a free-add on that MS provides to give you additional capabilities within GP. However, in your scenario, if you are trying to remove a unique user account from the local Administrator's group on each machine, GPP won't help you. But, since your users are already administrators, you could create a simple GP-based logon script that lets them remove themselves from local administrators. Some thing like this would work: Net localgroup administrators %username% /delete Should work. Once the user re-logs in, then they will no longer be in Local Administrators. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ryan Bannon Sent: Monday, November 24, 2008 7:18 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Local User Account Darren, For the most part everyone is a local admin. We have had a small company mentality for quite a while, but now we have grown pretty rapidly over the last few years, and now are getting a larger profile in the industry, so we wanted to lock down our pc's and not let users do that much. So one of the steps is not giving them local admin rights to their pc's. So what is the Group Policy Preferences'? Is that an add on program or snap-in? And can it be added after having a Group Policy already in place? Thanks, Ryan From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Monday, November 24, 2008 9:51 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Local User Account Ryan- Yes, this is a perfect job for Group Policy Preferences' Local Users and Groups feature if you have rolled out GPP. If you haven't then you would probably have to use a computer startup script to do it. Is the local user account different on every machine? Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ryan Bannon Sent: Monday, November 24, 2008 6:34 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Local User Account I am looking for a way to change the local user account type for our computers. Right now we have them as local administrators, but we want to change that to just a local user. We have around 250 computer, so I don't want to have to do it manually. Is there a way to do this with Group Policy? Thanks, Ryan Bannon IT Support Technician Pioneer Surgical Technology