Using GPO's to restrict an end user from being able to shutdown or delete the AClient service is a good thing. Especially, if you have an environment of users that generally have full control of their computers (administrative rights).



In order to do this you will need the AClient installed on the computer, server, or domain controller that you are creating or modifying the GPO from. This will add it to the list of services under "Computer Configuration\Windows Settings\System Services".



You can then set the service to Automatic and "Edit Security".



This is where you need to be careful. Do NOT add the everyone group and deny the Stop and Delete permissions. As ALL accounts are part of the everyone group, this essentially denies even domain administrators the option of shutting down/upgrading/uninstalling/etc the AClient. If you run an upgrade and have "everyone" denied the ability of stopping the service, your clients will see "Error 32 while copying new AClient.exe file".



What I did was add the Domain Users group and denied the access to stop for this group. I then ensured that the domain administrator accounts were not part of the Domain Users group.



Just wanted to share this as it was certainly a headache that was self inflicted!