Hi all,

I am wondering if anyone has any suggestions on how I can restrict user
access on some machines but not on others.

An example of what I mean is our Instructor accounts, we would like them to
be Administrators of their own machines in their office (they always want
to install and try some 'free' software they've received) yet when they go
the teaching lab and log into the instructor station we'd like them to only
be a member of the Users group so they can't mess with the workstations.

We have Windows XP installed both in the lab and the offices, the
instructor accounts are Dynamic Local Users, currently volatile, but that
could be changed to non-volatile.

So far I have two ideas on this situation, please let me know your thoughts
on the feasibility of these, or any other ways I might accomplish this task.

Idea #1: Create a local group (called instructors) on both the lab and
office PCs, and set the DLU policy to add these users to the new local
groups. Give the instructors group on their office PCs permissions to do
administrative type things like install software, basically Full access to
the PC. On the lab PCs don't give the instructor group any extra permissions.

Idea #2: Have the instructors DLU only create them as a member of the Users
group, this would solve my lab problem of them having too much access. Then
create a NAL application that gets the currently logged in username and
runs 'net user %USERNAME% blah' that adds the currently logged in user to
the Administrators group. This NAL icon would be associated to their Office
PC and therefore could not be run on a teaching lab instructor station.