i have mac osx 10.5.x leopard. i have configured and binded to our work active directory. So my user can log into his mac and have his account authenticated against our active directory. thats fine. but i do not want to create this user to be able to administer the mac he is on (so that this person won't install unauthorized apps). but because this person cannot administer the computer, what happens with apple system software updates? will it run? and if it runs, will it prompt them to enter the administrator password? if i give this person the admin or root account and password, doesn't that defeat the purpose of not allowing them to install things on the computer in the first place? is there a way to allow apple software updates to run without prompting them for admin password to the computer, and not allow them to install p2p apps, instant messengers, etc.???