Run applications, but restrict domain user access

[SilentKagemusha]

I am trying to figure out how I can have certain applications run in the background on my domain users computers in a Windows Server 2019 environment, but not allow them to open, or at least to not be able to change anything in those apps.

 

I also need to figure out how to give my users the permission to update their work apps that are already installed (AutoCAD, AcrobatPro, Adobe Creative Suite, etc...) without giving them administrative access to everything.

 

I only ask here because I have scoured the internet for over a day, and not found any relevant information.

 

Anything helpful is most welcome!

 

Best Regards!

[leadeater]

On 12/5/2019 at 2:23 AM, 無声影武者 said:

I am trying to figure out how I can have certain applications run in the background on my domain users computers in a Windows Server 2019 environment, but not allow them to open, or at least to not be able to change anything in those apps.

I'm not sure what you mean, can you give an example application and what it does, why it needs to be there (just installed or actually running in the background). To control which applications and folder/file users can access you can use Windows AppLocker policies for that.

 

On 12/5/2019 at 2:23 AM, 無声影武者 said:

I also need to figure out how to give my users the permission to update their work apps that are already installed (AutoCAD, AcrobatPro, Adobe Creative Suite, etc...) without giving them administrative access to everything.

There isn't a good way to do this because a user will always require local administrator access to do it, without using more advanced software deployment software/methods which will require you to package update versions of the software each time.

[SilentKagemusha]

3 hours ago, leadeater said:

I'm not sure what you mean, can you give an example application and what it does, why it needs to be there (just installed or actually running in the background). To control which applications and folder/file users can access you can use Windows AppLocker policies for that.

 

There isn't a good way to do this because a user will always require local administrator access to do it, without using more advanced software deployment software/methods which will require you to package update versions of the software each time.

Thank you for your reply. The owner of the company wants all of the LEDs in the workstations I built to be white only. Since they are rgb, and I have to install the software that goes with them, I need a way to have that software start on boot up and stay running, but not let the employees change any of the settings.

 

For the second thing, I was thinking of installing windows admin center for remote management, and trying role based access to give the permission to update already installed software. I don't know if this will work, but it's all I have to try so far. 

[Electronics Wizardy]

3 hours ago, 無声影武者 said:

Thank you for your reply. The owner of the company wants all of the LEDs in the workstations I built to be white only. Since they are rgb, and I have to install the software that goes with them, I need a way to have that software start on boot up and stay running, but not let the employees change any of the settings.

 

For the second thing, I was thinking of installing windows admin center for remote management, and trying role based access to give the permission to update already installed software. I don't know if this will work, but it's all I have to try so far. 

You can run the program as a different user, and they won't be able to touch it. Talk to the maker of the rgb software to see if they have suggestions on how to do this. Might be annoying to script this as the programs aren't designed to be used that way.

 

Id just unplug the leds in the systems and lock the cases, then no lighs and less to manage.

 

Look at something like PDQ deploy or simmilar to manage programs and updates.