How can i configure windows xp users on my network to that they can have full administrator privilages on there own machines (install sofware, defrag etc) while denying them administrator access to our servers (window 2000)?
Currently all users are 'power users'. If I set them as 'administrator' they can access the server as well as modify their own machines. It's like I need something custom setup between 'power user' and 'administrator' but I don't know how to do it. Help please.

if you're using Win2K Pro or XP Pro you should be able to use policies to add specific rights. What you can do is to create another group and add the permissions wanted there.

For Win2K (not sure if the instructions are same for XP Pro - I believe so tho)

hit Start>Run> Type "mmc"

at the console you want to "Add Snap-In" > Add local user management and group policies

Then close the snap-in section. You should have access tto all the setting you need now.

Hope that helps.

How can i configure windows xp users on my network to that they can have full administrator privilages on there own machines (install sofware, defrag etc) while denying them administrator access to our servers (window 2000)?
Currently all users are 'power users'. If I set them as 'administrator' they can access the server as well as modify their own machines. It's like I need something custom setup between 'power user' and 'administrator' but I don't know how to do it. Help please.

The users should not be able to have administrative rights on the server if they are set up as local administrators.

I am doing this from Windows 2000. XP is similar
To set up the users as local administrators do the following:

right mouse click on my computer
choose manage
expand local users and groups
choose groups
open the administrators group
choose add
choose the domain from the lookin drop down arrow
add the user's domain account


This process adds the user's domain account to the local administrators group.

On XP you have to choose find now or something like that to see the list.

JAMROCK think about it this way, if you create a user account on a machine locally and give it administrative privellages and then create the same user name and password on the server and give it the restricted privillages that u want then you would have accomplished your goal. Everytime the user needs to do something on the server it will authenticate on the server and the server will restrict the user. Same thing applies with local and domain policies.

JAMROCK think about it this way, if you create a user account on a machine locally and give it administrative privellages and then create the same user name and password on the server and give it the restricted privillages that u want then you would have accomplished your goal. Everytime the user needs to do something on the server it will authenticate on the server and the server will restrict the user. Same thing applies with local and domain policies.

True...

However, you will have to manage two user accounts. If you have 500 users, then you have to manage 1000 accounts. By adding the domain account to the local group, you only have to manage one account per user.

But if you have 5 persons on the network, all with adminsitrative rights, they will all be able to access each others files etc., over the network right? I don't want that.
Also, my network does not have a domain.

JAMROCK think about it this way, if you create a user account on a machine locally and give it administrative privellages and then create the same user name and password on the server and give it the restricted privillages that u want then you would have accomplished your goal. Everytime the user needs to do something on the server it will authenticate on the server and the server will restrict the user. Same thing applies with local and domain policies.

One more thing. For this to work seamlessly, the password of the domain account and the password of the local account have to be the same. If one changes (password policy or user intervention), a login screen will appear when the user tries to access domain resources. Most users get annoyed with two login screens.

But if you have 5 persons on the network, all with adminsitrative rights, they will all be able to access each others files etc., over the network right? I don't want that.
Also, my network does not have a domain.

It is my understanding that being a member of the local administrator's group gives an account administrative rights on the local machine only. Feel free to correct me if I am wrong.

If a user is not a member of the local administrator's group on someone else's machine, he will not have administrative rights on that machine. That is, the user cannot install software, configure TCP/IP, etc.

Securing each user's files is a separate issue. If your machines are formatted with NTFS, you should be able to restrict local access to each user's files. This is done by configuring the folder's security settings.