Best Way to give users FULL control of their local machine without accessing other computers (C$)
I am trying to find the best way to lock my users down from being able to access other workstations via the admin share C$. Currently our network is setup where all workstations had the <domainname>\Domain Users group in each of the local workstations administrators group. This was setup this way because we need every user to be able to install software / remove software / start & stop services update clock etc etc... However we don't want these users accessing other workstations via the remote share C$
I believe i could set each user up in their local admin group and that would stop them from accessing other machines BUT if that user tried to log onto another machine it would not allow them the same rights as they have on their own workstations.
net localgroup Administrators %userdomain%\%username% /add
You can then also create a logoff script that removes the user from the local administrators group:
net locagroup Administrators %userdomain%\%username% /delete
You will obviously need to run the first script with elevated permissions as the user won't have the rights to add themselves to the local administrators group.