LUA post no.1 - basic
Have you ever encountered following situation?
In one of companies I am responsible for users were always Administrators... There are around 1500 computers with different set of applications - many of application were written only for this company...
This is the worst scenario if you want to remove users from Administrators group... Ehm, this wasnt true - removing users from Administrators is really easy, the hard part is to achieve situation where every application is working as expected.
Today I will talk about most simple situation - application is trying to write to directory like %ProgramFiles%\Vendor\Application.
How to know where is it trying to write? I recommend FileMon from SysInternals, however there are more advanced techniques that I will describe later.
Using FileMon you will find a list of paths where application is accessing.
Now the second part - using group policy, you will apply security template, that will change permission on these directories.
I cant write you the exact step-by-step procedure, because I dont have EN Windows around :( However here is page from microsoft, where you can find every information you need:
http://support.microsoft.com/default.aspx?scid=kb;en-us;q313434&sd=tech
You can use the same procedure to setup security on registry.