how to prevent application to be uninstalled by a user (w/o admin rights)?

Andriy Tylychko picture Andriy Tylychko · Feb 4, 2011 · Viewed 17.4k times · Source

I need to forbid to uninstall an application (not a service!) by a user w/o some special rights. How to do this? installation will be done by domain administrator

thanks for your time

[EDIT] also I need to prevent removing the application from windows startup

[EDIT1] to clarify: application is simple and is installed in its folder and added to windows startup (actually to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry). What I need exactly is to forbid to remove this folder and this registry key, for ordinal users, not for local admins.

Answer

rene picture rene · Feb 7, 2011

[updated] the file location is easy. That is simple revoking write permission on the folder and all its subfolders and files for Builtin\Users, and giving Builtin\Administrators full permmision. You can set this via the Explorer, properties-> permissions or commandline wise with cacls (or icalcs if you're on win7)

The regkey is on my win7 box already only readable (not writeable) by Users and read/write by local admins (regedit -> Context menu -> Persmissions).

If it still doesn't behave like you want figure out what groups a normal user is in (also domain groups) and then check how those groups are propagated to the local machine.

And as sugested by Ben in the comments, you might start a new question on Server Fault.

[end update]

[before edite response] I doubt you can disallow the uninstall of 'one' application. By means of a Group Policy you can "Pohibit removal of updates"

(in GPedit.msc under Computer Config/Admin templates/windows components/windows installer)

The Group Policy is set by a domain admin and is enforced across the domain so it doesn't require 'persmissions'. But you need off course to also prevent local admins from editing the local group policy.

Another more daunting option would be to use a group policy in the Software Rectriction part of Security Settings. Here you can enter a path policy for the name of the msi or exe file that you do not want to be run.

Both require validating/testing to prevent that to much restriction prevent everybody from starting anything...