What is the best way to lock down the client PC’s with regard to software installation and admin privs? Currently the PC User is a member of the local administrator group for the sole purpose of patch installation functioning properly. I need to retain the independent patch installation ability, yet restict most else.
