|
I am in a similar boat.
While I agree that GPO is the way to go, not everyone has it available. I just inherited a network of 800 pc's. Every user has admin rights, the domain is not controlled by me and I have no rights to manage it. The inmates are truly running the asylum here. I was hired to fix all this but it will be a long road.
I do have access and control over the login script. this is my best avenue for making and controlling changes.
for me it is "peggle.exe" and others from PopCap. I think some of the above script techniques will work.
I would like to take it a bit farther and leave the directory and registry entries there but empty and restrict permission on them so they can't be written to ever again.
Is CACLS the best choice for doing that?
| 
