I would like to create a "power users" group in my active directory that gives users full admin rights on the local computer - the computer that they are actively logged on to - to use with roaming profiles.
So many programs require administrator privileges for "first use," and we have users that move from desk to desk.
However, many of these same users also connect via Terminal Services, (RDP), and I do NOT want them to have admin privileges on the Terminal Server, or, for that matter, on any of the servers.
Basically, I want a class of users that are full admins on any workstation in the domain, but NOT on the servers.
I'm currently using Server 2k3, but will be migrating the domain to 2008R2 in a couple of months.
Software/Hardware used: XP, 7, Server 2k3, Server 2008R2