First, do not make them administrators of the server. (Windows, if I am an admin I OWN the server.) Next, set a policy to deny specified users / groups access to regedit.exe. I would also have a policy that they cannot edit the registry. Logging and enforcement of the policy is required or someone will ignore. NOTE: 1: This is not a perfect solution and there are many ways around the restriction of a file, including third party registry editing tools. NOTE 2: So long as they are not an administrator of the server, they cannot edit the machine hive. Should they blow up their own profile, delete it and it recreates on next log in. having to reset all you custom settings a couple times usually convinces people to stop doing things they shouldn't. (Not perfect either as some vendors grant users permissions to their machine hive settings.)

First, do not make them administrators of the server. (Windows, if I am an admin I OWN the server.) Next, set a policy to deny specified users / groups access to regedit.exe. I would also have a policy that they cannot edit the registry. Logging and enforcement of the policy is required or someone will ignore. NOTE: 1: This is not a perfect solution and there are many ways around the restriction of a file, including third party registry editing tools. NOTE 2: So long as they are not an administrator of the server, they cannot edit the machine hive. Should they blow up their own profile, delete it and it recreates on next log in. having to reset all you custom settings a couple times usually convinces people to stop doing things they shouldn't. (Not perfect either as some vendors grant users permissions to their machine hive settings.)