I've setup a new AD domain, and on the Domain Controller (2012 R2), I've added Windows Remote Desktop Services.
I've got the licensing installed, and things are mostly working OK. I have two questions.
1) I've logged in to a remote desktop session using a non-administrator account, but I still have permissions to do things like install software and windows update, without going through a privilege escalation dialog. Clearly I don't want my users to be able to do this. I've verified the account is a member of Domain Users, and is not a member of Domain Admins. I've poked around the various management applications, but I just can't see this. If someone could tell me how to make the Domain Users not have elevated permissions, I'd be really grateful.
2) I've logged in, and I can pin apps to the start desktop thing. I'd like to set some defaults so my end users at least get office by default. How do I do that?
Thanks.
