/build/static/layout/Breadcrumb_cap_w.png

Stop employees from removing agent

Is there any way to keep employees from removing the Kace agent from their machines? We have users that are going into Add/Remove Programs and uninstalling the Kace agent. Can the agent be password protected to uninstall?

0 Comments   [ + ] Show comments

Answers (8)

Posted by: airwolf 13 years ago
Red Belt
1
Local administrator = God on a Windows box. No matter what trick you try to use to stop them from doing something, they can easily thwart it.
Posted by: airwolf 13 years ago
Red Belt
0
Not without some sort of third-party software. I think the big issue here is you allow your users to have local administrative rights on your machines. I'd suggest restricting them to Power User or even User rights.
Posted by: dunnpy 13 years ago
Red Belt
0
I don't know anything about KACE and the client, but assuming the client is an MSI installer you could always add the following to the Property Table, with an MST:

ARPNOMODIFY=1

ARPNOREPAIR=1

ARPNOREMOVE=1

This will prevent your users from Modifying, Repairing and Removing the installation from Add/Remove Programs - the buttons will not be present for them to play with.

If the client is already out there, you could push out the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\<{the GUID of the MSI}>

Name Type Data
[align=left]NoModify REG_DWORD 1
[/align]
NoRepair REG_DWORD 1

NoRemove REG_DWORD 1

The only way your users would be able to uninstall the client after adding these settings is by knowing the MSI GUID of the client to put on an msiexec commandline with the uninstall switch.

A mix of both approaches - MST with settings for all new installations, and registry keys for existing installation should help here - although as Andy says above - don't give your users admin rights to be able to remove it in the first place!

Hope that helps,

Dunnpy
Posted by: airwolf 13 years ago
Red Belt
0
Even with the trick above, users with local admin rights can stop and disable the services anyway. Trying to booby-trap the agent isn't going to stop a tenacious user.
Posted by: rmeyer 13 years ago
Second Degree Blue Belt
0
it is also possible to make a GPO to avoid uses from touching the services even if they are administrators, then they have to edit the registry if they like to stop it, so yes there's always a work around, but then you can disable the "regedit" program, and then again it's possible from scripts etc if they are smart enough ;P
Posted by: L_Evans 13 years ago
Senior Yellow Belt
0
like airwolf said, if they have admin rights, there god..

we have forced a reinstall of software via login and gpo but if you have a technical user with admin rights, your going to have that issue.
Posted by: rmeyer 13 years ago
Second Degree Blue Belt
0
true, but most users who get a "access denied" one time when they try to stop a service or delete a folder or uninstalled will not try to find work around to do it, if they try to do that then they should be considered for a serious talk with the manager if they really like to work at the company enough to work against company choosen systems
Posted by: stephen.frost 13 years ago
Senior Yellow Belt
0
We have a bunch of laptop users who are granted Local Administrator rights. I've implemented a logon script which checks for the presence of the KBOX Agent in the Program Files directories and logs to a text file if missing. Not only does this pick up uninstalls of the Agent, but it also tells me if new PCs/laptops are hitting the domain without the Agent installed. Simple batch script:

:TestIfKACEAgentInstalled
if exist "C:\Program Files\KACE\KBOX\KBOXClient.exe" goto KACEAgentInstalled
if exist "C:\Program Files (x86)\KACE\KBOX\KBOXClient.exe" goto KACEAgentInstalled
:KACEAgentMissing
echo %date% %time% KACE Agent missing on %computername% >> \\MYSERVERNAME\Logs$\KACE\KACEAgentMissing.log
goto KACEContinue
:KACEAgentInstalled
echo %date% %time% KACE Agent is installed on %computername% >> \\MYSERVERNAME\Logs$\KACE\KACEAgentInstalled.log
:KACEContinue
exit
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ