There really isn't any truly effective way to provide limited local admin authority - in your environment. Your best solution is to not provide any admin authority at all. If you can't live with that (too much workload and not funded/staffed for the workload) then your only recourse is to use non-computer implemented policies (the old "these are the rules you will live by and you are playing you-bet-your-job if you break them") combined with LOTS of education of your users. The education isn't really that big a deal - it is mostly a matter of documenting what is and isn't allowed for them to do and then re-inforcing that with repeating and repeating the mantra over and over again (every time you talk to any user you mention something or other about "the policy"). BTW - just in case you didn't know this ... stuff like Gator and Comet Cursor and other 'freebies' from the net are all various forms of spyware. If you haven't attempted to bring your users up to speed on the topic of spyware you should do so. ************************************************************ Here are my 'basic rules': 1) NO freebies from the web unless installed by I/S support person(s). 2) No screen savers of any kind except the MS Blank Screen. 3) All software installed by the user must be pre-approved by the support organization BEFORE installation. 4) All 'standard' software installed by support (such as office, accounting software, email clients, etc.). And then the blanket "this computer is for business related use only and any other use is not authorized and may result in your loss of your computer or job". ************************************************************* Be on the lookout for users who "know too much too much for their own good" (and yours!). The ones who are always asking you about the latest and greatest buzzwords and who brag about having a great system at home and want nothing less than the same here at work - but when you talk to them it is clear that they are just a problem waiting to take up a lot of your time. Because they are willing to 'experiment' with their own computer and change it all the time (and usually get into trouble frequently). These are the users who are most likely to also 'mess with' the computer they use at work. Often all you have to do is to get them to understand how much time it takes you to fix the problems and they will understand what is really happening and why they should treat their work machine differently than their personal computer at home ... sometimes a little 'delay' in when they get the problem they created fixed can get their attention if all of the regular methods have already failed (talking to them, etc.). ************************************************************* AGAIN - the best practice is to not give users admin authority. If they need a program installed you will have less overall work if you go to their machine and do the install for them. Overall this will be less work in the long run - especially if you combine it with a 'standard setup/preparation' that you do to the computer before the user ever gets it (that includes the install of all of the basic software). ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/winxplist.cfm