We have a campus network with W2K clients and NT servers. Plans to go to 2000 for servers and Active Directory are far in future. We want to restrict/deny the local user's ability to install software on computers. Management's view is to take "local admin" rights away from users, but we find in testing that that local user gets restricted on a whole lot more than just software installation capability. Any ideas?

try using mmc and group policy to apply restrictions to the users. A.

By default only admin can install software on the computers running w2k. so u do not need to do something. installations of software which update the registry can only be installed with the admin account. I don't understand exactly what u mean with local user gets restricted on a whole lot more than just software installation capability. let me know. good luck

Take a look at microsoft's web site and check out 'security templates'...it sounds to me like you need to apply the 'compatws' template to your workstations.

mcseer- installations can be performed by any user with administrative priveledges, not just THE administrator. What Barry is saying is that if they take local admin rights away from their users and make them say, power users, it's not just sticking a disk in a drive and installing software that they will be restricted from, they also may not be able to add printers or update antivirus definitions and depending on the settings, they may get random warnings in applications like Interent Explorer and even Office. All kinds of little surprises pop up and forget about walking them thru troubleshooting over the phone, as soon as you get to the part where you have to remove and re-add something, it's all over. I think Curts idea is just the ticket for you, Barry. Good Luck Cleo

Thanks to all for your responses. I appreciate the help. This is the first chance in a week I have had a chance to look at my query. We find that the list of problems by simply not making users "local admin" being adding printers, antivirus updates, login scripts, access to tmp directories, opening or saving email attachments, opening documents from our company intranet, etc. Since we are not employing Active Directory yet and our servers are not updated to 2000 from NT 4, it is quite an interesting situation. The team I am on are testers/integrators trying to come up with the solution to stop 1000+ users from installing anything they want. Also, we don't want to have to go back and reconfigure every machine individually. I will check out the "compatws" template. Again, thanks, and please respond if anyone has any other ideas.