I need allow users to install software or new printers on their own machine when it is currently locked out by the group policy object

I have a new customer who has a domain setup on a Windows server2003 standard. The company that originally set this up locked it down so tightly with group policy that the users cannot install software on their own desktops.
Cannot even use the cd-rom on their desktop. They have to call this company in to install a newer version of quickbooks, or any updated software. They are not under contract with the previous company and get charged outrageous amounts of money every time they come out. An example of this would be the new version of quickbooks. They were charged for a 3 hour install @ $150 per hour. There are only 4 desktops on this domain.
They are being raped by the former IT company. The former IT company refuses to come and open up some restrictions in the group policy, saying “It needs to be that way or you will have more problems. They cannot even install a new printer to a local machine. Anyway I do not have much experience with Group Policy and am just looking to give users the ability to perform their own software upgrades and printer installs. Not sure where in the group policy object to do that. Any help would be greatly appreciated.
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

Darius GhassemConnect With a Mentor Commented:
Here is the problem the user most likely aren't part of the local Administrators group or Power User group. Add domain users to the Local Admin group. You need to logon as a Admin to add them to this group.

If you want to remove the GPOs then look for Group Policy Management to see what GPs have been applied then remove them.

You can also go into AD Users and Computers right-click the domain go to properties to check for GPOs there as well.
darius is on point ...
instead of adding the specific user to the local admin group, just add domain users (since your in a domain) and anyone who authenticates against the AD (domain users) will have local admin rights to there own pc's.

ie, allowing them to add printers and upgrade/install software
Mike KlineCommented:
What is your role - are you a domain admin or have you been delegated rights.

You can use Group Policy Management console and take an RSoP report to see what is being applied. You can also run gpresult at the command line to get similar info (RSoP is easier to follow)

Certain applications will require local admin rights even if there are no polices so that may still be an issue.

With only 4 desktops I'd even think about making someone there a "site admin" (basically make them admin on the 4 pcs and they can install software themselves)

One problem with so many restrictive policies is that some policies even after you remove them still apply (known as tattooing) http://www.gpoguy.com/FAQs/Whitepapers/tabid/63/articleType/ArticleView/articleId/5/Understanding-Policy-Tattooing.aspx

The only place I've seen lockdowns as tight as you have is a classified/military environment. I wonder what harm the CD rom would do.

etoffAuthor Commented:
Thanks to all who helped me.
I used Darius's solution and all is now resolved
All Courses

From novice to tech pro — start learning today.