Looking to create a system for home use with children, they need to be able to have Administrator level privs to install and run games etc, but they need to be denided to alter the other childrens personal (school) files.
can stop the Administrator Group getting access to files by stoopping Inhenentance and and also stopping the Administrator group being able to take ownership of objects using Local Policy.
but need to be able to Stop Administrators group being able to change local policy and give that ability to anotehr group or specific users, ie the parents.
Or the other soln would be to be able to create a new group that has almost every ability that the administrators group has.
I'm not interested in protecting the OS system, just each childrens and parent files from other users changing or deleting them.