I want to pinch user policies on Win7 laptops users check out from me as “Power Users” right… But then… I need to grant them an Admin Account if they need to install something to test-out but only limit the password age to say 2 weeks of potential time to install something… Id just set the max age of their local security policy to 14 days then right? What stops them from using the one admin account to set the other power user as an admin ? Can this be prevented ? Can I audit tampering with other user accounts by the admin account via GPO logs? Perhaps can you just expire a “User type” (Admin-2-regUser) for a local user Account? As always, thanks so much for your advice and direction… microsoft@JAaronAnderson.com

I want to pinch user policies on Win7 laptops users check out from me as “Power Users” right… But then… I need to grant them an Admin Account if they need to install something to test-out but only limit the password age to say 2 weeks of potential time to install something… Id just set the max age of their local security policy to 14 days then right? No, if you set the "Maximum password age" it will only force the user to change it password after 14 days. What you can do is create a domain user. Make this domain user admin on the machine and disable it in AD. Once your want your user to install software X. You enable this user in AD, and set an expiration date on this account. Note: that the first time this user logs in he need to be able to connect to your Domain controlers (he must be connected to your LAN ) What stops them from using the one admin account to set the other power user as an admin ? By default nothing, once you have admin priviliges you own the box :) Can this be prevented ? Nope, this is to hard to prevent this. Can I audit tampering with other user accounts by the admin account via GPO logs? Yes, you can set the "Audit account management" on success. This audits for example A user account or group is created, changed, or deleted. A user account is renamed, disabled, or enabled. A password is set or changed. But remember your user is an administrator => an administator can clear the security audit log. Perhaps can you just expire a “User type” (Admin-2-regUser) for a local user Account? Not that i am aware off. As always, thanks so much for your advice and direction… microsoft@JAaronAnderson.com Conclusion it is hard almost not possible what you want to do. However you have 3rd party solutions that maby can help you with your problem. Take a look at Beyond Trust Power Broker desktop. http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition This software allows you to set an GPO where you can alow a standard user to install only software that is approved by you. Kind Regards DFT IM me - TWiTTer: @DFTER