Make a program un-uninstallable by Local Admin

I have a system monitoring tool/service, that runs on individual desktops in the network. On the network each user is Local Admin. I would like to make it so that only Domain Admin can uninstall this monitoring tool/service.

How do I change the access permissions to Domain Admin for uninstall and service stop/start for ONLY this application?

Solution 1:

Short answer - you can't.

Long answer - you can monkey with permissions on specific registry keys, folders, etc such that it is more difficult for a local admin to remove the product. If you want to go this way I recommend the uninstall registry keys under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall.

Unless someone has the known how this should stop most casual uninstalls. However with administrative rights and some quality time with Google you can get around all of these blocks.

You would be much better of working on how to remove admin rights from your workstations. Failing that make it a policy thing. You do have an acceptable use policy right? The first time someone is disciplined or terminated for fiddling with these settings it should work itself out.

How do I set my MX records such that mail to my domain goes one place, and mail to all subdomains goes elsewhere?

Where does Xenserver store local VMs

How to convert Xen image to VirtualBox?

identify / fingerprint a Windows Server core installation versus full

Is it necessary to have a server in China?

Best practice advise asked when users want to work on their workstation and from remote (but on their desktop), on Windows

Apache, Permission denied on mod_wsgi, fixed with WSGISocketPrefix -- But why?

Kernel updates without rebooting

Can I modify a Windows 7 environment to allow a .NET program to always run as Administrator?

Dovecot 2 /auth-userdb permissions

How to re-activate disabled Apache 2.2 AJP connections?

Jenkins reports reverse proxy setup incorrect with Apache using virtual hosts with SNI