Windows 7 in a AD domain


I am testing w7 pro in a AD domain managed by w2003 servers, I found W7 local administrator is disabled by default and since my users need to install software regularly, I activated local admin account to let them use it in UAC.

I read some articles explaining WS7 local admin are now "Protected Admins" which run standard token until they do admin tasks. Do you think it should be safer to keep local admin disabled and grant local admin privilege to domain users (I don't know how to do that automatically at W7 joining time like users domain group add in local users groups ) ?

What are the best practices for w7 in a domain ?


This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.