KACE Product Support

Local administrator = God on a Windows box. No matter what trick you try to use to stop them from doing something, they can easily thwart it.

Not without some sort of third-party software. I think the big issue here is you allow your users to have local administrative rights on your machines. I'd suggest restricting them to Power User or even User rights.

I don't know anything about KACE and the client, but assuming the client is an MSI installer you could always add the following to the Property Table, with an MST:

ARPNOMODIFY=1

ARPNOREPAIR=1

ARPNOREMOVE=1

This will prevent your users from Modifying, Repairing and Removing the installation from Add/Remove Programs - the buttons will not be present for them to play with.

If the client is already out there, you could push out the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\<{the GUID of the MSI}>

Name Type Data
[align=left]NoModify REG_DWORD 1
[/align]
NoRepair REG_DWORD 1

NoRemove REG_DWORD 1

The only way your users would be able to uninstall the client after adding these settings is by knowing the MSI GUID of the client to put on an msiexec commandline with the uninstall switch.

A mix of both approaches - MST with settings for all new installations, and registry keys for existing installation should help here - although as Andy says above - don't give your users admin rights to be able to remove it in the first place!

Hope that helps,

Dunnpy

Even with the trick above, users with local admin rights can stop and disable the services anyway. Trying to booby-trap the agent isn't going to stop a tenacious user.

it is also possible to make a GPO to avoid uses from touching the services even if they are administrators, then they have to edit the registry if they like to stop it, so yes there's always a work around, but then you can disable the "regedit" program, and then again it's possible from scripts etc if they are smart enough ;P

like airwolf said, if they have admin rights, there god..

we have forced a reinstall of software via login and gpo but if you have a technical user with admin rights, your going to have that issue.

true, but most users who get a "access denied" one time when they try to stop a service or delete a folder or uninstalled will not try to find work around to do it, if they try to do that then they should be considered for a serious talk with the manager if they really like to work at the company enough to work against company choosen systems

We have a bunch of laptop users who are granted Local Administrator rights. I've implemented a logon script which checks for the presence of the KBOX Agent in the Program Files directories and logs to a text file if missing. Not only does this pick up uninstalls of the Agent, but it also tells me if new PCs/laptops are hitting the domain without the Agent installed. Simple batch script:

:TestIfKACEAgentInstalled
if exist "C:\Program Files\KACE\KBOX\KBOXClient.exe" goto KACEAgentInstalled
if exist "C:\Program Files (x86)\KACE\KBOX\KBOXClient.exe" goto KACEAgentInstalled
:KACEAgentMissing
echo %date% %time% KACE Agent missing on %computername% >> \\MYSERVERNAME\Logs$\KACE\KACEAgentMissing.log
goto KACEContinue
:KACEAgentInstalled
echo %date% %time% KACE Agent is installed on %computername% >> \\MYSERVERNAME\Logs$\KACE\KACEAgentInstalled.log
:KACEContinue
exit