Hi @madki
User accounts can have local admin rights on workstations (or any computer) without being anything near a domain admin - check the computers Administrators group. It is also possible that the program installs to the profile, which does not require admin rights.
You can do a number of things.
Make a local administrators group and add it to all the desktops and add users to it. They'll have Admins on the desktops but not the domain or any resources not directly granted access:
so you can try to use Group Policy to automatically distribute programs to client computers or users:
In some cases the user will have a program that writes to the Windows or Program Files directory or even to the registry. In these cases create a security group and Group Policy for that program. Then find the smallest directory and/or registry key required to enable the program and grant the security group full access to just that in your new policy. Add the users of this program to the security group and then apply the GPO to the appropriate OUs.
Hope this helps with your query!
--If the reply is helpful, please Upvote and Accept as answer--