We use a draconian policy of 3 logon attempts before lockout, no reset, lockout forever, and force this to all devices connected to W2K domain. When laptops are used remotely, users being users invariably lockout their account and then either have to bring it back to be unlocked, or support visits to unlock.
How can we give them a local admin account to use for unlocking without allowing them to log on locally when connected to the domain, and abusing the admin rights while connected to the domain, i.e. viewing $ shares?
Thanks for your help.