Local Administrator vs Group Policy Lockdown Practices
I am wondering what common practice is as far rights on client pcs, not necessarily servers. In the past we were allowing our users to be a local administrator on their own pc since some of their software would not run with lesser priveleges. It seems now that most of their software will run as a power user, so we have switched everyone over to a power user to tighten security and prevent them from making changes. Now what I am wondering is why not leave the user as a local administrator on their own computer and use group policy to lockdown it down.
It would seem like I would have more flexibility of what I want the user to do and what I don't want them to do. But, there may also be things a local admin can do that a group policy could not prevent. Like software installations.
One thing I noticed as a power user is the user cannot download windows updates. So if the user is only a power user and gp is set to automatically download updates, will it work because of the user rights?
I suppose I am just trying to find out the best practices or what everyone else does regarding permission level on their client pc's.