I have a server running AD DS and I've created a user (UserA). Under AD DS Users and Computers, UserA is in two groups: Builtin/Administrators and [my domain]/Domain Users.
When I login as UserA on a random client (which is on the domain), I have local admin access. But I only want this user to have User access (aka not install programs etc). When I go to the LOCAL users and groups settings, there are only three users: Administrator, Default Account and Guest--ALL of which are disabled.
1. How do I restrict UserA so that it is merely a Standard User on any given computer on the domain, and
2. What is best practice as far as Administrators go on LOCAL computers. Should I use a GPO to create a local admin account on each computer? Should I just keep the local Administrator account active vs disabling? What do you guys see in SMB environments?