Indy: The users do login to the domain under their own roaming profile account.
Bert: In this particular case, the domain admin group is functionally the same as the administrators group. The domain admin has additional abilities such as changing schema settings, etc. Since we only have one domain it is a moot point.
I agree that managing the local computers without having each user as a local admin WAS a pain!
I removed or disabled all local login accounts on each machine except "administrator". Each user account on the domain only has permission to do the various activities required by their jobs. The AC main folder (and all sub folders) have the correct permission settings. Only the terminal server allows authenticated users to be local administrators.
I set the local administrators to be domain users because there are only a few computers were just one person uses it. The majority of computers are used by everyone.
I set the local admin manually on each machine when the machine is setup. It is not done from the server using group policy or any other method.
It appears that we are setup as secure as possible given our office requirements. We don't want to "lock everything down" but we do want to limit virus attacks and virus spreading.
Thanks to all for your review and suggestions!
