I am configuring the security of a WIndows XP desktop which is member of an Active Directory domain.
We would like to have all users be member of the default Users group and all support personnel (HelpDesk, Deployers, etc…) member of a special group which almost the same rights as Administrators (full installation capabilities), but not member of the Administrators group because we don’t want them to be able to connect to the default c$ share of any desktop.
I am trying to accomplish this through Security Template, assigning to a group we have defined on the domain, the same settings as the Administrators group and granting them modify rights on c:, %systemroot% and the registry in order to be able to install any application or tool they might need in their supporting activity.
However I have find out that many application, including Office, do not allow to be installed unless you are actually member of the local Administrators group, which makes my solution not valid.
Is there any other way to accomplish our goal? I know that we could probably manage the installation of certain applications through group policy, but we are not Domain Admins and we are not allowed to use them at this time.