We have set up a Server 2012 domain with Windows 8 workstations in a remote location that we cannot physically attend. We have allowed several domain users to be a local admin on the workstations, and they are meant to contact us before installing any new software on a workstation.
The situation has arisen where unauthorised software has been installed on a workstation, but the staff with the local admin authority all claim they did not install it.
Is there a way to:
1) find whose credentials were used to install the software?
2) set up some method for the server/workstation to notify us each time new software is installed or PC local admin credentials are used, so we are aware in future if and when this happens?