AD GPO to limit users permission on specific machines

I have requirement to setup a machine with the below configuration.
When a user login to machine user cannot add/delete any applications
user cannot add/delete/modify any files on the machine / desktop too.
I need help to setup same via gpo to specific machines not to user specific.
LVL 26
Sekar ChinnakannuStaff EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical SpecialistCommented:
When a user login to machine user cannot add/delete any applications
user cannot add/delete/modify any files on the machine.
Do not give administrator rights
Block network share access too.
Block inbound/outbound File and Printer via Windows Firewall
https://www.experts-exchange.com/articles/31687/Windows-Firewall-as-Code.html
Disable USB Ports
https://serverfault.com/questions/576768/disable-usb-mass-storage-access-on-client-machines
I need help to setup same via gpo to specific machines not to user specific.
Everything above is computer targetted

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sekar ChinnakannuStaff EngineerAuthor Commented:
Thanks Shaun, Can you help on these two requirements

When a user login to machine user cannot add/delete any applications
user cannot add/delete/modify any files on the machine / desktop too.
Hello ThereSystem AdministratorCommented:
Disable USB Ports
Computer Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access-->
All Removable Storage Classes: Deny all access - ENABLED
Removable Disks: Deny execute access - ENABLED
Removable Disks: Deny read access - ENABLED
Removable Disks: Deny write access - ENABLED
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Shaun VermaakTechnical SpecialistCommented:
When a user login to machine user cannot add/delete any applications
Do not give administrative rights
user cannot add/delete/modify any files on the machine / desktop too.
No builtin way to do this. You can use mandatory profiles to delete any changes upon logoff/restart. You could change the owner of desktop/documents etc. and set it as deny write.
Sekar ChinnakannuStaff EngineerAuthor Commented:
How can I disable add/delete/modify any files all the location except desktop.
Hello ThereSystem AdministratorCommented:
user cannot add/delete/modify any files on the machine / desktop too.
You can lock the account the way the user won't be able to do anything. No access to C:\ but he will be able to browse his Documents, Pictures, Downloads etc. only.
This is what we use.
Shaun VermaakTechnical SpecialistCommented:
How can I disable add/delete/modify any files all the location except desktop.
In general that is the experience you get as a normal user (except obviously other user folders such as documents)
Sekar ChinnakannuStaff EngineerAuthor Commented:
still i can create as normal user
Shaun VermaakTechnical SpecialistCommented:
Yes
Sekar ChinnakannuStaff EngineerAuthor Commented:
Thanks for your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.