1

Is there a way to prevent a Windows Vista client who is a local administrator of her own machine to remove a installed program? The program should not be removed by clients either from normal mode or safe mode.

fxam
  • 157
  • 6

3 Answers3

10

No. If they are a local administrator, they have full privileges over their machine, you can't prevent them from doing anything.

Boinst
  • 226
  • 1
  • 11
1

This is not entirely true, it really depends on how much work you want to do and how savy you think they are. Look at the idea posted here: http://discuss.pcmag.com/forums/thread/106231001.aspx I'd be willing to bet that would work just fine

Eric C. Singer
  • 2,329
  • 16
  • 17
  • 2
    Did you actually read your link? What does that prevent an admin from doing? – jscott Feb 24 '12 at 03:57
  • So first, just becasue you're an admin, doesn't mean you can't be locked out / restricted from doing stuff. To answer your question more specifically, if he were to do two things: modify the registry permissions for that app, and take it a second step further by modifying the NTFS permissions he could make it very difficult for that staff member to remove the app. Notice i didn't say impossiable, nor did i dispute that this is a managment issue. – Eric C. Singer Feb 24 '12 at 13:28
  • 1
    *"Make it very difficult"*? No, I disagree. Reverting the changes, as an admin, would be as trivial as applying them. The OP's question asks *"How to prevent..."*, not *"How to make more steps in order to..."*. FWIW, I've not downvoted you, although I think your post is more a comment than an answer. – jscott Feb 24 '12 at 13:47
  • To be clear, i'm saying if we're talking about "joe user" not tech savy border line tech user. It's easy for a user to go to add/remove programs, it's not intate knowledge to find the correct registry key and revert permissions. It's only trivial for someone at our level. I know this as we've had files that needed to be distributed to staff locally but needed to be locked down to only certain users. – Eric C. Singer Feb 24 '12 at 14:26
  • 1
    Secondly we removed the security tab, thus forcing them to dig into the command line. So we're starting to get to a point where you'd really need to know what you're doing to change anything. My point with all this is, you can put measures into make it more difficult, but I'm not disputing that it's not possiable to circumvent. The question is, can the averge user circumevent a solution such as this, and i remain steadfast that its likely they cannot. – Eric C. Singer Feb 24 '12 at 14:28
  • sorry if it's coming of as curt, that's not my intention. Although i am a little anoyed about the down vote. – Eric C. Singer Feb 24 '12 at 14:31
  • 1
    No worries here, no offense taken. The additional information from your comments would make nice inclusions for your answer. The extra changes you've described provide a lot more detail than a single link to a PCMag forum post. I think you could build a stronger answer using your knowledge/config info. – jscott Feb 24 '12 at 15:02
  • You need to be a PhD computer scientist to use CACLS to edit permissions via the command line. Removing the security tab forces them to go this route, which the vast majority of users wouldn't be able to do easily. – Bigbio2002 Feb 24 '12 at 15:58
1

As others have said it's a management issue but there is a way to reinstall an application if you have a client on the domain and deploy the software via group policy.

Do you have a group policy that deploys the software? While it won't redeploy automatically if someone removes the software you can use the procedure documented at http://www.frickelsoft.net/blog/?p=103 to force it to reinstall.

If you can remotely access the computer's registry you could remove the GUID of the application and then group policy would take care of it.

Enigman
  • 26
  • 1