Create local administrtor security group on AD
Open group Policy Management
1. Create GPO in this domain
2. Name: corp local administrator access
3. Edit- open group policy management editor
4. Computer configuration- Policies – Windows settings – security settings – Restricted groups – Add Group
Browse – Add – “corp local administrator” then The group of memember of – administrators
5. GPO Enforced.
6. OU Linked to GPO and enable
7. Apply to client machine – on command prompt “:
How to disable a standard user to install program on client machine being domain user?
1.Open the Group Policy Management Console (GPMC).
2.Right-click your domain and choose the Create a GPO in this domain, and link it here option.
3.Name the Group Policy Object (GPO) Block Google Chrome and click OK.
4.Right-click the policy you just created and click Edit.
5.Navigate to the User Configuration\Policies\Windows Settings\Security Settings\Software Restriction Policies folder.
6.Right-click Software Restriction Policies and select New Software Restriction Policies.
7.Right click Additional Rules and choose New Path Rule.
8.In the Path field, type chromesetup.exe.
9.In the Security level drop-down box, choose Disallowed and click OK.
Repeat steps 7 through 9 for the chrome.exe and gears-chrome-opt.msi files.
Repeat steps 7 through 9 for the path C:\Users\%username%\AppData\Local\Google\Chrome\Application\chrome.exe for Vista machines or C:\Documents and Settings\%username%\Local Settings\Application Data\Google\Chrome\Application\chrome.exe for XP machines. You should include this rule in case some of your users have already installed the browser. After you implement the GPO and the Group Policy settings refresh on those users’ local machines, they’ll no longer be able to successfully run Google Chrome.
Open a command-prompt window and run the command to apply the new rules.
gpupdate /force
Run the command
gpresult /R
Verify that the newly created GPO has successfully been applied. As a final test, attempt to run the installer from the Google Chrome website.
If the users do not have local administrator access, you may simply disable per-user installations via Group Policy.
DisableUserInstalls is a machine policy which will block per-user installations. There is also an option for “hiding” existing per-user installed applications in favor of the per-computer installed versions.
To configure:
1.Open gpmc.msc, select the GPO to which you will add the policy.
2.Navigate Computer Configuration, Policies, Administrative Templates, Windows Components, Windows Installer.
3. Set the policy “Prohibit User Install” to “Enabled”.
[Optional] Set the policy “User Install Behavior” to “Hide User Installs”.
Group Policy- Change Domain user wallpaper
- First create folder on server name: “commonwallapaper”
- Share the folder with everyone give read only access.
- sharing option – enable- no files or prgoram from the shared folder are available offline.
- Put wallpaper on same folder.
Group policy
1. create a GPO in the domain- name : commonwallpaper_GPO
2.right click commonwallaper_GPO – edit – user configuration – Policies – Administrative Template – Desktop – Desktop – Desktop Wallpaper – Enabled – wallper name: \\192.168.1.250\commonwallpaper$\corpwallpaper.jpg
3. apply GPO to security group..
4. Go to Client system open cmd- gpudate /force
5. Automatically updated all client machine wallpaper.
English 
简体中文