In my environments NO ONE EVER gets local admin, politics be damned - a common saying is "I don't care who you are, how much you make or who you know. You're NOT getting local admin."
Sure there's some nuclear fallout once in a while, but everything runs much much smoother in the long run. By myself I'm ultimately responsible for 300+ machines and that many stations is *not* a big deal. It helps that the most complicated program 80% of those stations run is MS Office. Based on what I've seen, if you don't have local admin you're bordering on not needing AV & AS packages. Yes, it's a bold statement, but true in some of my environments - I've validated it over the years with a laptop running a commercial AV package (currently Kaspersky). The only things it catches are cookies and malware installers in home folders. Salvador Manzo wrote: > Local Admin is the exception, and generally only occurs for political > reasons. Apps which "require" local admin get run through FileMon and > RegMon to tear down minimum rights, and GPOs set any required > permissions based on group membership. -- Phil Brutsche [EMAIL PROTECTED] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
