We are using cloud infrastructure with a Terminal Server for users and Application Servers that allow Administrator access only. The issue is we have an application that is installed on both TS and APP servers that requires frequent updates. We update the application on the Application Server first. The "updated files" are placed in a share and the Terminal server users can then apply the updates to the application on the Terminal server. I'd like to elect a user to be able to updated the Application Server herself; however, I do not want to allow her to harm any other applications or data on the application server (It also contains our SQL Server Instances and other important data shares). Id like her to log into the application server and restrict her to running a specific application only.
I've done research and understand how to restrict users to running stuff on the desktop only. (I've accomplished that on the terminal server) I just don't think there is a way to take away the command prompt and all the other Administrative access/privileges and still allow her Administrative access to the server. I do not have the luxury of a test infrastructure and do not want the risk of corrupting out security model through experimentation with the group policies.