My network environment is Win 2K server, 1 Active Directory domain with approximately 40 users. I have the users broken down in 6 OUs, but have only 1 GPO at the domain level (default domain policy). The reason for that is except for the IT department 5 users, all users should have the same desktop restrictions.
Question 1: There are 6 users that need local administrator rights to their PC because 2 applications that they use require it - I spoke to the vendors.
The only way I knew to give them local administrator rights to their PC is by going to their PC and adding their domain user name to the local administrators group.
Is this correct or is their a way to control this through a GPO? I would prefer a GPO, as I want this to be done centrally - not by me going to a specific PC.
Question 2: When I added the user to local administrators group, the domain level GPO no longer was applied when the user logged onto the domain. Is this correct? If so, how can I have a GPO apply to them? Except for being able to run the two applications that require local administrator rights, I still want the users be restricted re:other things, e.g. IE security, no control panel, etc.