I have a lab with 50 Win2k computers and a group policy in place. How can I use GPO to give power user rights to the lab students, so they can run applications that write to the registry? I do not want to create local accounts for the students because I do not want them to log on locally. Thank you very much for your anticipated help.
The power users group is a local group on workstations and servers. To make a domain group of users, i.e. your "lab students," members in the local group on workstations, use the Restricted Groups container in the GPO linked to the OU in which these user accounts reside. Add the power users group, and then add the domain group you have created for your lab users. When the workstations refresh their group policy, the setting will take place, and the Power Users group will have the domain group as a member. Since users do not have local accounts, they will not be able to log on locally; however, they will have power user privileges on the workstation.
Another question to ask yourself is what applications are causing these problems? Then do the research to see what keys they need to access. Give the domain group that users belong to the right to write to these keys on workstations. Then you do not have to give them power user privileges.