Windows

Most people handle their own installs just fine. We setup users to be a local admin and most people will not do anything to destroy themselves.

However, you do get a few experimenters in every group. The most common thing that happens is that people will take themselves off the domain (in order to connect to a home office worgroup and backup files or offload them to another machine), and then not be able to get back on.

But, the handling of users' and the ability of them to install specific software that they need (or hardware for that matter) has not been a great problem for us. And the few who want to do other stuff, will usually check before doing anything (to make sure that it is okay).

Before you give your users local admin rights, you must know your end-users. Are there messing up the systems and you have no clear policy for re-installing a system and it takes too much workload, don't give them the rights.

There are solutions,such as:

- SMS
- GPO
- SU-account (This account make you temporary
local admin with a user acccount and after
installation of e.g. application you are back
normal user)
- Maybe Power-user is enough

Thanks for the quick answers. My users are very careful and usually do not mess with things without asking first. I think this will make our lives alot easier. Since I am still a newbie to Active Directory & Win2k, my concern was local admins might have some capabilities on the general network that I wasn't aware of.

all of the above, plus no, they cannot mess things up on the network with local admin rights. Whatever user ID is admin on local, the network settings, rights and policies for that user are set on the server and there you can restrict whatever. Theycan only mess up that particular workstation.