> 2) Spy ware hangs around for a long time. Our users used to have admin > rights so there is a lot of "legacy" spyware around
Create a project to re-build these machines? If you've got a standard deployment image for workstations, this might not be too disruptive. > 3) We still have business critical applications that won't run without > admin rights. Often these are tightly integrated in a large suite of > applications, e.g. the Call Centre management suit, so we still have > some machines where users have admin rights. I know this sucks but > there is certainly no cash available to replace these apps.... Is there a budget to deliver these 'special' apps via Citrix or at least MS Terminal server, hence isolating them on a locked down server which users cannot browse the web from, and allowing you to drop their local workstation access level down to something sane? Or to virtualise these apps on each desktop, again isolating them and allowing you to drop the local workstation access rights down a notch or two. -- Robert Moir Microsoft MVP for Windows Servers & Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx