I would like to set my domain workstations so that users are not able to launch regedit.exe, only administrators. Is there a way to set file permissions with a GPO where TrustedInstaller is still the owner and the file permissions are TrustedInstaller defaults minus users? As soon as I push these manually defined settings via GPO, it completely breaks regedit.exe, and I get an access denied when I try to run it (even as local administrator).
Is there another way to deny domain and local users from launching regedit.exe (or any other WRP file) and only allow SYSTEM and Administrators access through TrustedInstaller?
Thanks in advance