GPO with Security Filtering is the best approach for this. It's been discussed here many times. If the user can set it with a script during logon, they can change it any time they wish, since they must have local admin rights - a very bad thing in most cases.
A viable alternative if GPO absolutely can't be done is to use the "Secure Admin Install Suite" as posted in the Script Vault here on KORG. This is a central service and an API for the login script to DETECT (as a non-Admin) when something should be done and then trigger a REQUEST on the server to perform a task to be done remotely with Admin rights. It's MUCH SAFER than granting everyone admin rights, but WAY MORE complex than a GPO with a security filter to prevent application to members of a specific group.
Glenn
_________________________
Actually I
am a Rocket Scientist!
