Is there any way to keep employees from removing the Kace agent from their machines? We have users that are going into Add/Remove Programs and uninstalling the Kace agent. Can the agent be password protected to uninstall?
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
Not without some sort of third-party software. I think the big issue here is you allow your users to have local administrative rights on your machines. I'd suggest restricting them to Power User or even User rights.
Answered 08/08/2011 by: airwolf
Tenth Degree Black Belt

Please log in to comment
0
I don't know anything about KACE and the client, but assuming the client is an MSI installer you could always add the following to the Property Table, with an MST:

ARPNOMODIFY=1

ARPNOREPAIR=1

ARPNOREMOVE=1

This will prevent your users from Modifying, Repairing and Removing the installation from Add/Remove Programs - the buttons will not be present for them to play with.

If the client is already out there, you could push out the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\<{the GUID of the MSI}>

Name Type Data
[align=left]NoModify REG_DWORD 1
[/align]
NoRepair REG_DWORD 1

NoRemove REG_DWORD 1

The only way your users would be able to uninstall the client after adding these settings is by knowing the MSI GUID of the client to put on an msiexec commandline with the uninstall switch.

A mix of both approaches - MST with settings for all new installations, and registry keys for existing installation should help here - although as Andy says above - don't give your users admin rights to be able to remove it in the first place!

Hope that helps,

Dunnpy
Answered 08/08/2011 by: dunnpy
Red Belt

Please log in to comment
0
Even with the trick above, users with local admin rights can stop and disable the services anyway. Trying to booby-trap the agent isn't going to stop a tenacious user.
Answered 08/08/2011 by: airwolf
Tenth Degree Black Belt

Please log in to comment
0
it is also possible to make a GPO to avoid uses from touching the services even if they are administrators, then they have to edit the registry if they like to stop it, so yes there's always a work around, but then you can disable the "regedit" program, and then again it's possible from scripts etc if they are smart enough ;P
Answered 08/09/2011 by: rmeyer
Second Degree Blue Belt

Please log in to comment
1
Local administrator = God on a Windows box. No matter what trick you try to use to stop them from doing something, they can easily thwart it.
Answered 08/09/2011 by: airwolf
Tenth Degree Black Belt

Please log in to comment
0
like airwolf said, if they have admin rights, there god..

we have forced a reinstall of software via login and gpo but if you have a technical user with admin rights, your going to have that issue.
Answered 08/11/2011 by: L_Evans
Senior Yellow Belt

Please log in to comment
0
true, but most users who get a "access denied" one time when they try to stop a service or delete a folder or uninstalled will not try to find work around to do it, if they try to do that then they should be considered for a serious talk with the manager if they really like to work at the company enough to work against company choosen systems
Answered 08/12/2011 by: rmeyer
Second Degree Blue Belt

Please log in to comment
0
We have a bunch of laptop users who are granted Local Administrator rights. I've implemented a logon script which checks for the presence of the KBOX Agent in the Program Files directories and logs to a text file if missing. Not only does this pick up uninstalls of the Agent, but it also tells me if new PCs/laptops are hitting the domain without the Agent installed. Simple batch script:

:TestIfKACEAgentInstalled
if exist "C:\Program Files\KACE\KBOX\KBOXClient.exe" goto KACEAgentInstalled
if exist "C:\Program Files (x86)\KACE\KBOX\KBOXClient.exe" goto KACEAgentInstalled
:KACEAgentMissing
echo %date% %time% KACE Agent missing on %computername% >> \\MYSERVERNAME\Logs$\KACE\KACEAgentMissing.log
goto KACEContinue
:KACEAgentInstalled
echo %date% %time% KACE Agent is installed on %computername% >> \\MYSERVERNAME\Logs$\KACE\KACEAgentInstalled.log
:KACEContinue
exit
Answered 08/17/2011 by: stephen.frost
Senior Yellow Belt

Please log in to comment
Answer this question or Comment on this question for clarity