6

I have a system monitoring tool/service, that runs on individual desktops in the network. On the network each user is Local Admin. I would like to make it so that only Domain Admin can uninstall this monitoring tool/service.

How do I change the access permissions to Domain Admin for uninstall and service stop/start for ONLY this application?

Justin Alexander
  • 191
  • 3
  • 3
    The basic issue here is that it's almost impossible to lock the local admin out of doing things to the workstation. The local admin account is explicitly intended to do things of an administrative nature, just limited to this one box, while the Domain Admin is able to do stuff to the whole network. What you really want (it sounds like) is to make the users non-admins! Find out what they need to do and make it possible for a non-admin account to do those things, then switch them over. – Michael Kohne Oct 10 '11 at 13:33

1 Answers1

8

Short answer - you can't.

Long answer - you can monkey with permissions on specific registry keys, folders, etc such that it is more difficult for a local admin to remove the product. If you want to go this way I recommend the uninstall registry keys under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall.

Unless someone has the known how this should stop most casual uninstalls. However with administrative rights and some quality time with Google you can get around all of these blocks.

You would be much better of working on how to remove admin rights from your workstations. Failing that make it a policy thing. You do have an acceptable use policy right? The first time someone is disciplined or terminated for fiddling with these settings it should work itself out.

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113
  • 4
    +1. The problem is not that the program can be uninstalled, the problem is all users are local administrators. – jscott Oct 10 '11 at 13:42
  • Agreed that the problem is users having admin. On the other hand, I would not want to work anywhere that won't let me have admin on my workstation. – Zan Lynx Oct 10 '11 at 14:33
  • I'm the same way. The way I figure it the folks that actively visit server fault aren't generally the kind of individuals that need to have their admin rights pulled to stop them from doing this kind of thing. :) – Tim Brigham Oct 10 '11 at 14:42