如何防止用户卸载应用程序(无管理员权限)?
我需要禁止没有某些特殊权限的用户卸载应用程序(而不是服务!).这该怎么做?安装将由域管理员完成
I need to forbid to uninstall an application (not a service!) by a user w/o some special rights. How to do this? installation will be done by domain administrator
感谢您的时间
另外,我还需要防止从Windows启动中删除应用程序
also I need to prevent removing the application from windows startup
进行说明:应用程序很简单,已安装在其文件夹中,并已添加到Windows启动程序中(实际上已添加到HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run注册表中).我确切需要的是禁止为常规用户而不是本地管理员删除此文件夹和此注册表项.
to clarify: application is simple and is installed in its folder and added to windows startup (actually to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry). What I need exactly is to forbid to remove this folder and this registry key, for ordinal users, not for local admins.
[已更新] 文件位置很容易.这很简单,即撤消对Builtin \ Users的文件夹及其所有子文件夹和文件的写许可权,并赋予Builtin \ Administrators完全权限.您可以通过资源管理器,properties->权限或带有cacls的命令行明智设置(如果使用Win7,则为icalcs)进行设置
[updated] the file location is easy. That is simple revoking write permission on the folder and all its subfolders and files for Builtin\Users, and giving Builtin\Administrators full permmision. You can set this via the Explorer, properties-> permissions or commandline wise with cacls (or icalcs if you're on win7)
我的win7盒上的regkey已经只能被用户读取(不能写入),并且可以被本地管理员读取/写入(regedit->上下文菜单->权限).
The regkey is on my win7 box already only readable (not writeable) by Users and read/write by local admins (regedit -> Context menu -> Persmissions).
如果仍然无法正常运行,则需要找出普通用户所在的组(以及域组),然后检查这些组如何传播到本地计算机.
If it still doesn't behave like you want figure out what groups a normal user is in (also domain groups) and then check how those groups are propagated to the local machine.
并且正如Ben在评论中所建议的那样,您可能会在Server Fault上提出一个新问题.
And as sugested by Ben in the comments, you might start a new question on Server Fault.
[结束更新]
我怀疑您是否可以禁止卸载一个"应用程序.通过组策略,您可以禁止删除更新"
[before edite response] I doubt you can disallow the uninstall of 'one' application. By means of a Group Policy you can "Pohibit removal of updates"
(在GPedit.msc中的计算机配置/管理模板/Windows组件/Windows安装程序"下)
(in GPedit.msc under Computer Config/Admin templates/windows components/windows installer)
组策略由域管理员设置,并且在整个域中强制执行,因此不需要权限".但是,您当然需要偏离路线,以防止本地管理员编辑本地组策略.
The Group Policy is set by a domain admin and is enforced across the domain so it doesn't require 'persmissions'. But you need off course to also prevent local admins from editing the local group policy.
另一个更令人生畏的选择是在安全设置"的软件限制"部分中使用组策略.在这里,您可以输入不想运行的msi或exe文件名称的路径策略.
Another more daunting option would be to use a group policy in the Software Rectriction part of Security Settings. Here you can enter a path policy for the name of the msi or exe file that you do not want to be run.
两者都需要进行验证/测试,以防止在太多限制下阻止所有人开始任何事情...
Both require validating/testing to prevent that to much restriction prevent everybody from starting anything...