I have a Small Business Server installation at an office where we have more users than computers. We use roaming profiles to let all the users on the network and gain access to their data. We also have a fair amount of turnover so users are being added and deleted all of the time. When I add a new user and they use any of the Office programs for the first time on a computer it launches the Windows Installer to let them finish the initial setup for that program for each user. If this user has not be given explicit local administrator privledge, they can't finish the install and just get an error code. If the users is given local admin privledges, then the installation finishes with no problem and its never an issue again. Right now I have to go to each computer that the new user works on and give them local admin privledges; which is ineffecient and time-consuming (and not as secure as I'd like). What I would like to do is create a Group Policy that allows users to either (in order of preference):
a) Be able to finish the install of these programs without having to be local admins
b) Allow users to be local admins of these computers when their accounts are created
I'd like to create this policy on the DC so I can have as centralized as possible administration for the network.