Video Screencast Help

How to prevent users from disabling / exiting altiris client and altiris agent

Created: 18 Dec 2009 • Updated: 23 Jun 2010 | 3 comments

I have several hundred windows xp clients running both altiris client and altiris agent.  None of the users have administrative priv but I noticed that any user can exit the agents.  How do I prevent this?

Thanks.
Mark

Comments 3 CommentsJump to latest comment

mclemson's picture

Password protect the AClient interface
Make sure your AClient interface is password-protected.  I assume everybody does this.

Hide the agent icon
Agent Settings > Security > Hide Agent

Create a script or Group Policy to keep the service running
A group policy could force the system to check the status of Altiris services and start them if someone has stopped them.

Why are they disabling the AClient?
Don't ignore political or relational means.  For example, why is the user disabling the AClient?  We had a web developer sitting only a few desks away who would disable it because he believed it was slowing down his computer.  We were able to look at it and determine that the issue wasn't the AClient at all.  You may want to take this as an opportunity to explain to the user why the AClient is an important tool to keep the computer running properly.

Or does your company have a policy which covers this issue, where users are disabling a management tool?  If so, you may wish to make the user aware of the policy.

Mike Clemson, Senior Systems Engineer, ASC
Intuitive Technology Group -- Symantec Platinum Partner
intuitivetech.com

bhawver's picture

I do this via Group Policy in Active Directory.  Using the Group Policy Management Console I created a policy and assigned it to the top most OU.  You can then set service permissions under Computer Configuration --> Windows Settings --> Security Settings --> System Services.  Keep in mind, in order for the Group Policy Object Editor to see it, it needs to be installed on that machine.

Brian Hawver
Systems Engineer
Yaskawa America, Inc.

Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads.

Luiz Faro's picture

Even if you are not in the domain, you can use XCACLS to reinforce the permissions, and even revoke the permissions of a local admin to stop the service. This article can show you how:

https://www-secure.symantec.com/connect/articles/f...

Although it was designed for NS Software Delivery, there is no reason why it wouldn't work on DS.

Good luck !