Hi there,
We are in a NON-DOMAIN environment and have created default policies to lock down the PC's and special policies for admin users that un-do's the default policies. This is working fine for us on our XP SP3 machines.

If a local Administrator, or DLU cached admin account, logs in "workstation only" they are prompted for their ZCM credentials. If a cached admin enters their credentials then they have full rights to the desktop. If they don't enter the ZCM credentials (perhaps no network cable or using the built-in Administrator account), then they are locked down and unhappy.

What have we missed to allow full access to the desktop for members of the local Administrator group?