I need allow users to install software or new printers on their own machine when it is currently locked out by the group policy object

I have a new customer who has a domain setup on a Windows server2003 standard. The company that originally set this up locked it down so tightly with group policy that the users cannot install software on their own desktops.
Cannot even use the cd-rom on their desktop. They have to call this company in to install a newer version of quickbooks, or any updated software. They are not under contract with the previous company and get charged outrageous amounts of money every time they come out. An example of this would be the new version of quickbooks. They were charged for a 3 hour install @ $150 per hour. There are only 4 desktops on this domain.
They are being raped by the former IT company. The former IT company refuses to come and open up some restrictions in the group policy, saying “It needs to be that way or you will have more problems. They cannot even install a new printer to a local machine. Anyway I do not have much experience with Group Policy and am just looking to give users the ability to perform their own software upgrades and printer installs. Not sure where in the group policy object to do that. Any help would be greatly appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Darius GhassemCommented:
Here is the problem the user most likely aren't part of the local Administrators group or Power User group. Add domain users to the Local Admin group. You need to logon as a Admin to add them to this group.

If you want to remove the GPOs then look for Group Policy Management to see what GPs have been applied then remove them.

You can also go into AD Users and Computers right-click the domain go to properties to check for GPOs there as well.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
darius is on point ...
instead of adding the specific user to the local admin group, just add domain users (since your in a domain) and anyone who authenticates against the AD (domain users) will have local admin rights to there own pc's.

ie, allowing them to add printers and upgrade/install software
Mike KlineCommented:
What is your role - are you a domain admin or have you been delegated rights.

You can use Group Policy Management console and take an RSoP report to see what is being applied. You can also run gpresult at the command line to get similar info (RSoP is easier to follow)

Certain applications will require local admin rights even if there are no polices so that may still be an issue.

With only 4 desktops I'd even think about making someone there a "site admin" (basically make them admin on the 4 pcs and they can install software themselves)

One problem with so many restrictive policies is that some policies even after you remove them still apply (known as tattooing) http://www.gpoguy.com/FAQs/Whitepapers/tabid/63/articleType/ArticleView/articleId/5/Understanding-Policy-Tattooing.aspx

The only place I've seen lockdowns as tight as you have is a classified/military environment. I wonder what harm the CD rom would do.

etoffAuthor Commented:
Thanks to all who helped me.
I used Darius's solution and all is now resolved
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.