How to assign local admin rtights but not allow certain changes to be made

Hello Experts,

 I need to assign certain users on our 2003 domain to have local admin rights, but not to be able to change or disable the domain Local Administrator account or change or disable any of the domain or network settings.

I kind of need this in a hurry so if anyone can help I would greatly appreciate it.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

"Power Users" rather than "Local Administrator"?
You can make them local admins and then lock everything else down with Group Policies. Are you familiar with them? If you I can probably give you a few links to get you started.
Toni UranjekConsultant/TrainerCommented:
Hi tcmadmin,

Once user is member of local Administrators group you can not restrict his/her account from having full access. The question is which user rights exactly do you need or, what exactly are you trying to achieve?


The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

tcmadminAuthor Commented:
The users should be able to be able to modify most settings, but not take full control of the machine. Download software, make changes to most settings, I would like to keep them out of local policy and computer managment, and to not let them make network changes. I am not not real familiar with the GP settings on that stuff.

Thanks for helping out in advance.
Toni UranjekConsultant/TrainerCommented:
You will have to be very specific. If you mean by "download software" download and install programs, users have to be in local Administrators group and once they are you can not prevent them from doing "anything". Policies will not help, local admin can easily bypass any policy setting.
tcmadminAuthor Commented:
Users mainly need to install software and any changes that would be related, That is a broad spectrum but unfortunatly is where I am at.

Toni UranjekConsultant/TrainerCommented:
I will repeat, unfortunately, there is no solution for your problem. Only members of local Administrators group can install software and you can not impose any restrictions to members of local Administrators group.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tcmadminAuthor Commented:

 thanks for the answer, I was hoping there was some other way to allow the users to have most control features, but still be able to control certain variables.

thansk again,

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET App Servers

From novice to tech pro — start learning today.