As to your answer my question is:
Would i have to add the client username to the local machine admin group at each and every client machine or can I do this from the domain? If so, How?
Now with all clients having local admin rights to the local machine, they are now open for installing apps, utills and software anytime they like. We have installed all necessary apps and software that they need, now we want to lock down so that they cannot install anything. (How do I do this in the GPO and where?) But still need the client to have admin rights to the local machine due to antivirus updates and installs that may be needed.
Would i have to do this in the Computer config or userconfig in the domain pol?
The problem is, applications come in diff, formats i.e (exe, bat,, com, zip, msi and so on) how do i block all that?? can I?