we are running a 2003 AD domain here with GPO etc.
I am tasked with creating a set of laptops for staff to take home and work on, but I want them to be locked down so that they can't muck about with them and cause me a headache.
The trouble is that they will need to install a local printer at their end. I know about adding them to the Power Users group and changing the local policy to allow Load/Unload Device Drivers but being a Power User also allows the user to:
- Run legacy applications, in addition to Windows 2000 or Windows XP Professional certified applications.
- Install programs that do not modify operating system files or install system services.
- Customize system wide resources including printers, date, time, power options, and other Control Panel resources.
- Create and manage local user accounts and groups.
- Stop and start system services which are not started by default.
....and installing programs is what we want to stop.
Is there anyway of me locking this down so tight that it squeaks but also allow them to install a local printer?