Make a program un-uninstallable by Local Admin

I have a system monitoring tool/service, that runs on individual desktops in the network. On the network each user is Local Admin. I would like to make it so that only Domain Admin can uninstall this monitoring tool/service.

How do I change the access permissions to Domain Admin for uninstall and service stop/start for ONLY this application?


Solution 1:

Short answer - you can't.

Long answer - you can monkey with permissions on specific registry keys, folders, etc such that it is more difficult for a local admin to remove the product. If you want to go this way I recommend the uninstall registry keys under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall.

Unless someone has the known how this should stop most casual uninstalls. However with administrative rights and some quality time with Google you can get around all of these blocks.

You would be much better of working on how to remove admin rights from your workstations. Failing that make it a policy thing. You do have an acceptable use policy right? The first time someone is disciplined or terminated for fiddling with these settings it should work itself out.