![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 70%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,387 questions
Currently all the multiple team are part of the local admin group on the member servers and being a local admin they get all rights on the server. We want even being a local admin on the server they should be prevented from running a windows installer from their ad account
you can't. Local admins always can violate restrictions and run whatever they want.
If we can use the Power User local Group on server, will it prevent the installation on member server
power users are easily escalated to local admins, see: The Power in Power Users.
there is no bulletproof solution to prevent admins from installing unwanted software. Either, you trust them or not. If the later, then you should not grant them admin permissions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 28.999999999999996%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVW%3C/text%3E%3C/svg%3E)