Preventing Users from stopping the Altiris Service

Discussion in 'Scripting/Tools/Docs' started by oakleynike, Feb 19, 2007.

  1. oakleynike Member

    If anyone has ever had the issue of users stopping their Altiris Service or uninstalling the product, the following should help.

    If you happen to go to a company where they allow most users to be admins of their PC, you may notice NS or DS agents not checking in (in my case, this happens mostly in IT).

    Assuming all these PC's are part of a Domain:

    Create a Computer Group Policy Object that prohibits the stopping of both Altiris Services (NS and DS). Typically this policy must be created on a machine with the services installed.

    Take away local admin rights to that policy and only allow the domain group of your choice to have full rights to it. (Example: If you are in Desktop_Engineering, only grant Desktop_Engineering group rights to this GPO)

    Secondly, MAKE SURE YOU ADD 'AUTHENTICATED USERS' to have only READ rights to this GPO, other wise, the agents will stop reporting and NEVER start.

    As a safety net, I have another GPO that adds Altiris_SVC to be an Administrator of all PC's within the domain. I also add this account with full rights to the GPO stated above (stopping users from disabing the Altiris services)

    Doing this prohibits the users from stopping the service, the process and from deleting key files from the folders. Granted this may not be 100% effective, but in my environment it works great!

    Lastly, I posted a "Tips and Tricks" document which takes away Altiris Solutions from the Add/Remove Programs list which can be found here..... this will take away rights to even see the solutions installed and more!

    Hope this helps!

  2. skakid New Member

    Sweet! We've had a heck of a time with this issue. We tried this previously, but ran into an issue with it not reporting in.

    I'm guessing the server guys missed the "READ" Permissions for everyone. :doh:
  3. oakleynike Member

    Hey Glad I could help! I just recently figured all of this out and thought I would share with everyone so they dont have to go through the same mess that I did!


  4. Nick Altiris/AppSense Guru

    Good tip Justin.

    Another way (though not free) is to use EndPoint Security Solution to keep someone from stopping the process.

    If you want to keep an eye on who might be trying to uninstall the various Altiris agents you may consider using Application Metering to report in on anyone attempting to run the uninstallers.
  5. dominique Sticky...

    Hello Justin,

    The "Read" Permissions you mentionned is the one on top of the list , which is a Read All Properties" think and could it be restericted at a down level by a combination of the following list:
    - Read All Properties
    - Read permissions
    - Read Account Restrictions
    - Read Group Membership
    - Read Logon Information
    - Read Remote Access Information
    - Read General Information
    - Read Web Information
    - Read Personal Information
    - Read Public Information

    I am asking this as in our environment even a Read is a huge issue to give... the less we give, the less we will be asked by our management to detail and document the purpose.

  6. mbstlcop New Member

    I am just playing around with a demo of ESS now. How would you prevent the Altiris Agent from being stopped? From what little I've played with it, it just seems like I can limit network access until the user restarts the service. Am I missing something? This would be fantastic if it protects processes.
  7. Nick Altiris/AppSense Guru

    I was going off information that I recalled during a demo of ESS.

    I emailed the rep that gave me the demo to see if he could further expand on it and this is what he said.

    You can use the "endpoint integrity checks" to see if a service is running and if it is not, switch it to a "all closed" Firewall and put up a custom message telling the user that the service is not running."

    The layman explanation for that is that it would let the user know that the service is stopped and has placed their system in an "All Closed Firewall" which would prevent them from working until the service was restarted"

    Sorry if my information was misleading. I get a little trigger happy. :doh:
  8. Hoveyg New Member

    Here is a little script that would restart the aclient services if somehow the user killed the service. Its not as good as the solutions above, but works.

    REM Script to add make the altiris service restart if accidently stopped
    sc failure AClient reset= 3600 actions= restart/5000
    sc failure AeXNSClient reset= 3600 actions= restart/5000
  9. anouar New Member


    i need more detail on this topic, as you know the altiris service is controled by system account. so when i create my gpo policy, what privilege can i put to "Authorite NT/system" account.
    you find here my GPO config;

    RefuserAUTORITE NT\INTERACTIFArrêter, Pause et repriseRefuserAUTORITE NT\Utilisateurs authentifiésArrêter, Pause et repriseAutoriserTUNELEC\administrateurContrôle totalAutoriserTUNELEC\altirisContrôle totalAutoriserAUTORITE NT\INTERACTIFLectureAutoriserAUTORITE NT\INTERACTIFDémarrerAutoriserAUTORITE NT\SYSTEMContrôle totalAutoriserAUTORITE NT\Utilisateurs authentifiésLectureAutoriserAUTORITE NT\Utilisateurs authentifiésDémarrer


Share This Page