OK. gripe time. One of my co-workers was asked by a customer, "Can you prevent a local admin from deselecting File and Printer Sharing?"
Come to find out, everyone in their domain was a local admin.
Here's the problem... I used to get similar questions to that one a lot in that exact scenario. They all have the same answer. You can use a GPO to hide junk, but the local admin can always circumvent those processes.
We're shoving LUA and Least Privilege down your throats and we're still getting these questions.
Here's how I would have responded to that customer today if I knew I wouldn't get fired...
You're an administrator. What are they paying you for? So you made all of your users local administrators so they could install printer drivers or so they could install their favorite cool toolbar which is really spyware. You're essentially delegating your responsibilities to the end user for what? So you don't have to hear them gripe. Nice work. So to prevent 20 phone calls, you increased your attack surface area 80 million percent. You don't have any control over your environment anymore. Sure, you can react now. No more cutting off the problems at the knees. Joe Enduser goes to a website, clicks on a link and gets a virus, block the website. Jill Enduser clicks on a link in an Instant Message and gets a virus, port out Instant Messaging.
How about this? When you were really building your fantasy team or playing World of Warcrack you could have been investigating Software Restriction Policies or actually packaging the drivers for the printer that 20 people who are all in the same OU and pushing that msi down using that SMS Deployment you bragged about in your last review. Now you are bracing yourself for the next virus introduced by those local admins and the 5 days of lost production due to cleanup. The wrong guy is going to get fired. The poor guy you made into a local admin who thought he was getting an IM from his mother who introduced the virus is going to get fired. Not the lazy admin who had three people nag at him because they couldn't download the MP3 software so he made everyone a local admin to "fix" the problem.
Worse than that we actually built a feature into the Windows Vista product that essentially stops everything and asks you if you are "really really sure" if you want to install that malware even if you are local admin. And you can turn THAT off. So please... please... for your sake. If you're going to give Pat Enduser local admin, please don't turn that off. At least that way Pat will have someone who is doing the right thing on his side (not you, dude - the person who wrote that code into Vista).
Do me a favor. Read into LUA.
P.S. Stop being lazy. And don't think Power Users is any better (http://blogs.technet.com/jesper_johansson/archive/2006/03/12/421870.aspx)
BTW, I am not perfect, either. I ran into one of the above Enduser problems once when I didn't know any better. Not going to tell you which one, but I too was lazy. Of course(and luckily), I was a one-machine administrator at the time.
This posting is provided "AS IS" with no warranties, and confers no rights.