Best practices would say that any domain admin would restrict local users to users and not local admins.
However in the real world it is generally not practical. SBS 2003 makes users local admin?s by default and 2008/2011 makes it easy to do so. If you don?t make them admins, the admin has to logon to update Acrobat and every other nuisance application or driver. Generally you keep the server and data safe and take the risk with the workstation. NEVER make them domain admins. Still the best practice, if possible is to keep them as basic users.
If users are local admins, they can override any NTFS permissions you have given to limit their access to files/folders on that computer.
True, you can restrict a local administrator with NTFS just like a user, but an administrator can take ownership of a folder and then change the permissions. But, why would they? There should be NO data on the PC. Not only that, the average user is not going to know how to take permission of a folder. AND, it is one thing to change your wallpaper, but quite another to make an actual permission change to a folder where the folder clearly shows their name as the owner.
If users are local admins, they can override any Group Policy settings you have given them.
No they cannot.
Rule of Thumb: You can NOT deny an administrator.
I will have to admit here that I have never tried this, but I do not think this is true.
The ONLY account that has any power over users with administrative rights is the built-in account known as Administrator.
The built-in administrator account often referred to as a 500 account is almost NEVER used by an admin. It has a few extra powers than a domain admin, but they are basically the same.
And the only power it has over users with administrative rights is the power to revoke their administrative status.
Not true. Local admins are trumped by domain admin, domain admin is trumped by enterprise admin.
To be honest, on a network that is set up properly, you should rarely have to log on as administrator, anyway.
Very true, in an ideal world. Microsoft best practices state you should never work as an administrator and you should never log onto servers, but rather use RSAT (Remote Server Administrative Tools). And the law says we shouldn't drive over 65. What we should do and what we do do are two different things. There are sites where users are just users and somebody has to install every application and update for them. I can't stop seeing patients every time Adobe wants to update or Firefox has a new version.
