group-policyuser-accountsuser-profileswindows 10
I have one admin account and 2 standard user accounts on a local computer and not on a domain. For example,
User A -> (Admin Account)
User B -> (Standard Account)
User General -> (Standard Account)
Is there a user group policy setting that I can enforce logging in from the Admin account (User A) such that, only User B can install new software on it? If not is there a mechanism to achieve this. I don't want to put any of these accounts on a domain.
In Windows Vista and later you can apply policies only to a specific account, but you have to load the group policy object editor from the Microsoft Management Console, not by opening the snapin directly.
Click the "users" tab and select a user.
You will now have a group policy user object for the selected user. Apply whatever restrictions you want. You may be interested in checking out "Hide these specified drives in My Computer" in User Configuration > Administrative Templates > Windows Components > Windows Explorer.
It has already been said in another answer, but to clarify things, I've decided to still write an answer.
Yes, A user that is added to the local administrators group, gets full control on that computer, and they can do anything on that computer, including changing other local users.
However, notice how I write local users.
While local admins can do anything to a local computer, they cannot make changes to domain accounts, as that requires access to the domain controller.
If you want to prevent local admins from changing other users password, you will need to use a domain controller, add the computer to the domain and migrate the user accounts to the domain controller.
After that, local admins can still do a whole lot on that pc, but they can no longer change the password of other admins, if those admins are domain users.
That said, with admin access, you can create local users, and login with that.
Also good to note, while many tasks seem to require admin access, this is not always necessary. Admin access is requested when a task fails due to insufficient rights. For example, installing a program in C:\Program Files, requires admin access because by default, normal users may not write to this folder. If you make this folder writable for normal users, then they no longer need admin access for installs that just place the program in that location. Similarly, the local machine registry hive has similar restrictions that can also be opened similarly.
I would advise against opening these with write permissions for everyone, but you can add these specific users to those locations with write permissions and they may not need an admin account in the first place.
Best Answer
Users can install any software that doesn't require admin privileges. This depends on the software installation, whether it allows you to choose between installing per-user or for all users. The first option shouldn't require admin rights.
Standard users can install any of these programs, for example Zoom and Teams. I think that Chrome would be in this list as well.
A well-built software installation would only ask for elevation once the user has selected the installation option "for all users". But there is no solution or GPO policy that can help with a software installation that asks first for elevation.