Client Management Suite

Thanks for helpfull artical.

I think that a lot of people, particularly IT people, like to stop agents like this as soon as they can...they all perceive a performance hit from anything, whether real or imagined.  Being able to prevent and enforce the policy is a godsend.

 I find it strange no one else discusses this issue but I had exactly the problem you describe where the service will not start.

Secondly, MAKE SURE YOU ADD 'AUTHENTICATED USERS' to have only READ rights to this GPO, other wise, the agents will stop reporting and NEVER start.

For clarification though,   this should read: "ADD 'AUTHENTICATED USERS' to have only READ rights to this SERVICE"  Atleast this is what I found.  Not sure how you give them READ Rights to the GPO only.  So I wanted to clarify what I found and what I think you meant.

This is something I created for my company a couple of years ago....so it might be a bit outdated (First posted on Altirigos.com) http://altirigos.com/vbulletin/scripting-tools-docs/5916-preventing-users-stopping-altiris-service.html

Assuming all these PC's are part of a Domain:

Create a Computer Group Policy Object that prohibits the stopping of both Altiris Services (NS and DS). Typically this policy must be created on a machine with the services installed.

Take away local admin rights to that policy and only allow the domain group of your choice to have full rights to it. (Example: If you are in Desktop_Engineering, only grant Desktop_Engineering group rights to this GPO)

Secondly, MAKE SURE YOU ADD 'AUTHENTICATED USERS' to have only READ rights to this GPO, other wise, the agents will stop reporting and NEVER start.

As a safety net, I have another GPO that adds Altiris_SVC to be an Administrator of all PC's within the domain. I also add this account with full rights to the GPO stated above (stopping users from disabing the Altiris services)

Doing this prohibits the users from stopping the service, the process and from deleting key files from the folders. Granted this may not be 100% effective, but in my environment it works great!

Great Article Screenbert!  I may need to updated my GPO's!!

For sure, some "users" still need (or abuse) to keep use their machine with "local admin" rights. That's a good idea to follow, I will recommand this my customers.
Thanks your post.

Nice article, we were looking for a creative way to do this here at our company.

Nice Idea! I will try that next time!

Every services has recovery options that can be set (The recovery tab when loooking at a service.) Just set thisvia Group policy to restart on failure, that way even if they kill the exe then it restarts automatically.

Robert,
Nice work.  We are looking at doing the same for our Antivirus services, which some of our IT users have been notorious for terminating as it apparently affects their compiling performance.  The funny thing was that testing showed that their software compilation was actually a few seconds faster when A/V was enabled than with it off (strange I know)!  Unfortunately the above method does not (AFAIK) prevent local admins from simply terminating the service's .exe (AeXNSClient.exe); any tips for that one?  I was thinking of setting a Task Scheduler-based script that ran every 10 minutes or so to check for the services and restart them if they were disabled. 

I was also looking at using App Metering to meter the process Stop events, but of course you have to meter Start events to meter Stop events.  The tricky part was that in some cases it recorded a Stop event for a system shut down/reboot, not just the actual process terminating.  I've been thinking about how to best report that the system is up but the A/V service is down...probably have to use basic inventory or Event data of some sort.