This is my last shot to figure this out. If I can even figure it out.
Is there any way to stop a user from installing programs on their computer? We'll be running Server 2016. I've tried denying them local admin rights (which I did successfully). But, to no avail. I've also tried forcing the programs to run as elevated privilege, once again, to no avail.
How do I do this? Is it even possible?
I'd really appreciate all the help I can get.
Assuming you are going to use a domain and use GPOs, then the recommended (albeit a PITA, but since you are starting from scratch it would be much easier to accomplish) path is Software Restriction Policies. This also has the added benefit of preventing malware/ransomware effectively.
https://technet.microsoft.com/en-us/library/hh831534(v=ws.11).aspx
Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. Software restriction policies are part of the Microsoft security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computers.
You can also use software restriction policies to create a highly restricted configuration for computers, in which you allow only specifically identified applications to run. Software restriction policies are integrated with Microsoft Active Directory and Group Policy. You can also create software restriction policies on stand-alone computers. Software restriction policies are trust policies, which are regulations set by an administrator to restrict scripts and other code that is not fully trusted from running.
Further to TheCleaner's suggestion of Software Restriction Policies, Microsoft have since released a more "hard core" version called AppLocker.
https://technet.microsoft.com/en-us/library/ee424367(v=ws.10).aspx
AppLocker is a new feature in Windows Server 2008 R2 and Windows 7 that advances the features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny applications from running based on unique identities of files and to specify which users or groups can run those applications. Using AppLocker, you can: Control the following types of applications: executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), and DLL files (.dll and .ocx).
Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.
Assign a rule to a security group or an individual user.
Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run except Registry Editor (Regedit.exe).
Use audit-only mode to deploy the policy and understand its impact before enforcing it.
Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, all criteria in the existing policy are overwritten.
Streamline creating and managing AppLocker rules by using Windows PowerShell cmdlets.
AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of help desk calls that result from users running unapproved applications.
Be warned, AppLocker policies are the first thing to process on machine boot, and if configured as such, are capable of blocking even required system dlls/exe's, which will prevent Windows from actually starting, so make sure you test it thoroughly.
There are a few ways to do this, but most truly lock a system down.
If you implement Group Policy on your server, add your restricted users to the group that will have the limitations. In the GP Editor there a virtually every single parameter available to prevent users from performing certain operations. Including using a USB drive, you can disable them when a certain account logs in. Needless to say, it will take you some time to locate, restrict and test all of the functionality. It is tedious, but the preferred method to accomplish your goal.
You might be able to search the web for some scripts to achieve this, or someone that specializes in GP. I have used it restrict browser access, loading apps from CDs, removing the dos prompt from the start button, etc. All ways to circumvent security. PCs of varying hardware and OS's may also require varied configs in GP.
Good Luck, it usually takes an organization with a decent IT budget to fully take advantage of this powerful feature.
I hate to say this, but in my experience, one effective and less costly approach is to fire someone as an example. To be effective though it takes continued auditing of installed software and on a lot of PCs this can take some time.
