Hope you are all well and can help.
Our company has historically given all it's users local admin access to their machines.
As an IT department, we have struggled to put the case to the powers that be, that is is not best practice in any sense.
The reason they have decided on this is to allow users to install applications.
My questions to you guys are these....
1) Would we be better off removing standard users from being local admins, and instead granting them membership of the Power Users group?
2) In what ways would we be better off?
3) What limitations would there be if we did this in terms of what a Power Users group cannot do and what the local admins group CAN do?
By knowing the real difference between these two groups capabilities would then give us a good idea on whether it is a viable thing to do or not.
Any help greatly appreciated.