QuestionCan I prevent users who are local administrators on their computers from stopping or disabling the Altiris Service?
Answer
Hardening the Altiris Agent
This document outlines how to prevent Local administrators from being able to stop or disable the Altiris Agent, AClient, or Carbon Copy. While this document describes the process using Deployment Solution, it can also be done using Software Delivery.
- Download subinacl.exe from Microsoft's Web site (http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en) and extract it.
- Place Subinacl.exe into a folder under the eXpress share (that is, Tools).
- Set up a new job in Deployment Solution; Task 1 is to copy subinacl.exe onto the target computer into C:\windows\temp. Task 2 should run the following script:
'vbscript
Option Explicit
On error Resume Next
Dim WshShell
Dim oShell
Dim strServiceName(5)
Dim strDFSPath
Dim n
Set oShell = CreateObject("wscript.shell")
Set WshShell = WScript.CreateObject("WScript.Shell")
strDFSPath = "c:\windows\temp\"
strServiceName(0) = "Aclient"
strServiceName(1) = "AeXNSClient"
strServiceName(2) = "AeXNSClientTransport"
strServiceName(3) = "CarbonCopy32"
n = 0
For n = 0 to 3
WshShell.run (strDFSPath & "subinacl.exe /service " & strServiceName(n) & " /grant=SYSTEM=F"),0,True
WshShell.run (strDFSPath & "subinacl.exe /service " & strServiceName(n) & " /revoke=Administrators"),0,True
WshShell.run (strDFSPath & "subinacl.exe /service " & strServiceName(n) & " /revoke=" & chr(34) & "Power Users" & chr(34)),0,True
Next