We would like to restrict users from installing any and all applications without requiring to input credentials of an account with rights to install. This account with rights can be part of a group that was delegated rights or just one particular user.
We currently have domain users and part of local admins group. When I removed domain users from local admins and left them in the users group it prompts me for someone with admin credentials, which is good. But the bad part it, it is now prompting for any admin action (I know its working as designed) such as an elevated command prompt to release/renew ip address, running shortcut marked as "always run as admin".
So the question would be, how can I restrict installing software but not be prompted by UAC for other actions such as releasing/renewing IP's and running shortcut marked as "always run as admin"
We are running Vista business with 2k3 r2 servers in an domain