Lock down local admin account

You locked it down intentionally, and would like supporting reasons? Am I understanding this right?

Yes.  I will assign power users to some accounts as I find out who they are.

Not locked out, locked down.

Personally, I always rename the Administrator Account to one of my personal support accounts on my machines. Then I will rename the guest account to Administrator. That way, if someone tries to get Administrator user on my machine, then they wont have rights for ANYTHING. Unless there is an exploit that isnt patched yet, I am sure.

Granted you can still get Admin level access with a domain admin user account, right?

touchy is a good word for this....different scenarios require different answers....most of the clients i deal with would simply walk away if I told them they cannot have admin rights......the workaround is to slam them down with group policy   just my $0.02

Ok... now how do I give them all power user rights...

Restricted Groups!

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

As James says, restricted groups will do it..  or you can go to each machine and add the user to the Power Users group...  but remember, Power Users are just users with elevated privileges...  still may have some issues to deal with here..

Ok.. that was fun (and a pain).  Now all my machines are clean and I know who needs local admin rights and which software they are using.

I removed the restricted groups policy and all is well.

I would not advise anyone to do what I did unless you know your users.

Good job everyone, I learned allot.

restriced groups can be tricky too :)

Fun?  :)

Glad you got it resolved though!  Have a great week!

I use a computer startup script to assign power user rights to everyone.  Assign a gpo to the OU where all your workstations are.

net localgroup /add "power users" "authenticated users"