locked
prevent uninstall and stop service RRS feed

  • Question

  • Hello

    I have FFCS deployed to XP and Vista machines, i am trying to prevent users who are in the local administrators group from uninstalling and also stopping the FFCS services. I found this blog post http://blogs.microsoft.co.il/blogs/yanivf/archive/2009/01/09/temper-protection-in-forefront-client-security.aspx and after following it users who are in the local administrator group on the machine cannot uninstall or stop the serivces, which is great! but the help desk does need to uninstall and stop the service, the help desk group is in local administrators group on every machine, and per the policy settings they are not able to uninstall or stop the service. I tried editing the GPO so instead of "deny" uninstall for the local administrators group, i cleard this check box i then added in the help desk group and gave the group full control permission. After doing this though all users who are in the local admin group can stop the service. How can i allow or give the rights  one group who is a member of the local admin group on every machine the rights or permissions to stop the service and uninstall FFC and prevent users who are members of the local admins group but not a member of the Active directory help desk group from uninstalling and stopping the service

    Thanks very much
    Bulls on Parade
    Wednesday, August 12, 2009 11:21 PM

Answers

  • Hi,

     

    Thank you for your post.

     

    I did some research regarding this issue. I think you cannot achieve your goal. We could remove the helpdesk group from local admins and give them rights to the services/uninstall but then they would not be local admins which would defeat the purpose.

     

    Regards,


    Nick Gu - MSFT
    Friday, August 14, 2009 8:00 AM