Server 2003 Domain - users need the ability to perform updates (Vista) and install software (Vista and XP)

Users must be Local Admins.

I f the users are in a 2k3 domain structure then I would start with Window Update Services (WSUS) it is a free tool provided by microsoft that allows more granular controll of the the Windows update process. As far as software that the users need to install, I would just publish those applications via group policy and then when a user needs to install of update a software package then that application is available in the start menu for the user to install, if you wish to push the software then just assign that application. Hope this helps :)
 

I remember having a similar problem and if I remember correctly, I created a user called 'Application' on the local PC that had install rights via the local PC group policy.  When they wanted to install apps, they would simply shift-rightclick on the exe and execute as the application user.

This is quite risky though and the real solution is for the administrator to do the updates.  The suggested solution can lead to problems.

I wonder if there are any third party apps that can manage this?

If you have a big company there is actually a much better way of doing this. You will still have to go to every machine, but you will have much higher Management Power.

Create a Security Group in Active Directory called "LocalAdmin". Walk over to each machine and add that Security Group to be a Local Admin just like andrewc2189 explained.

Except instead of adding a user, add the "LocalAdmin" Group to the Local Administrators Group.

After doing that to all the machines, you can now add users to the LocalAdmin Group in Active Directory to whom you want to grant Local Admin rights.

This is a very small company - 10 users.  I am the "Outside consultant".

So if user "Mike" is a "Domain User" - I can go to Mike's PC and add him as an administrator of the PC...  that is what it sound like would be the best solution.

I'll give it a shot!

Use restricted groups (GPO > computer configuration > windows settings > security settings > restricted groups).
With restricted groups you can define groups and it's members on computers. Make sure to link the GPO to an OU where the computer objects are.

Lekos: Sorry I meant smaller company, instead of big.

That is a very good idea and im planning to implement this at a company I'm supporting..

I'm glad to see there are a lot of responses for solving the issue in many different situations.

I would like to point out that if you do the easier solution of adding a group instead of each user, you are then giving every user in that group admin rights on every machine in the entire company. There are many situations where you may want a user to have admin rights on only their computer, but if you throw all users into a group and give the group admin rights on every machine, they could go to anyone else's machine and have the same privileges.

If that's a situation you do not want, I only know of going to each computer and adding the individual to the admins group.