We are a Samba/LDAP domain with primarily Windows 7 clients.

Our end user policy is a little laxed and recently we have had some users

who are.... taking advantage of the access to the computer that they have.

We do not have Active Directory!!!!

We would like to look at ways to shut out some features on the computers.

We have played around with using the Local Group Policy to restrict access to certain aspects of the machine. We have accomplished this by copying the "GroupPolicy" folder to our target machines and forcing a gpupdate. It has worked well in our tests.

We have login scripts that run other configuration's on the machine. Some registry edits, software install, deployment of our local group policy, etc. One problem with this is that in most cases the user's have to be local admin in order for the scripts to run properly.

The problem that we are running into is that no matter what way we go we seem to break functionality in one form or another. Either our login scripts do not run properly due to lack of permissions, or the user is granted to much access to the system.

I have been looking at a tool called Steel RunAs.

It has the ability to elevate permissions on a running script. This is nice since Windows doesn't seem to have a convenient way of doing this from a scripting perspective. But with this tool comes some complexities as well as costs.

I was wondering if anyone else has come up against a similar and how it was dealt with. 

Is using the Group Policy the best solution?

Or are there other methods that can be used?

And is there a method that is easily managed?

Hopefully this makes sense.

Thanks!