Qer
-
Total Posts
:
56
- Scores: 0
-
Reward points
:
17340
- Joined: 4/29/2010
-
Status: offline
|
protection SCCM
Wednesday, May 23, 2012 11:45 PM
( permalink)
Dear all, anyone knows how we can protect our sccm client from behavior other user, for example : sms agent host disable, account sccm administrator remove by user. or user delete folder CCM. I think this is for security SCCM in order not to be disturbed by a user who nosy. need your advise.. regards Qer
|
|
|
|
msmith515
-
Total Posts
:
109
- Scores: 5
-
Reward points
:
23270
- Joined: 11/30/2008
- Location: Brisbane, QLD, Australia
-
Status: offline
|
Re:protection SCCM
Thursday, May 24, 2012 12:01 AM
( permalink)
As always there are many ways you can achieve what you are asking. Does the user/s have local admin rights, if so I would recommend that you start trying to remove them post-hast Here are some ideas for the problems you described. SMS Agent host Disable: - Group Policy preferences can be your friend here as it re-evaluates regularly, which means that you can control the state which the SMS Host Agent is. They might be able to stop it but it will start up again in X minutes
Account removed from local admins: - Again GPP can solve this for you. You can also use standard GPO's but they are lot more restrictive than GPP
Deleting the CCM folder: - This one is a bit tricker as depending on where it it is installed and what rights the user has over the system, you could change the permission on the directory to prevent the user being able to delete it. This will some serious testing.
- The other option is something like this http://emptygarden.info/2011/01/19/sccm-computer-startup-scriptpart-1/ this will re-install the client if it isn't there.
The other option is also to take it up with management if possible, your company has paid and implemented Config Mgr for a reason for someone to say. screw that! should be taken up with management.
|
|
|
|
Qer
-
Total Posts
:
56
- Scores: 0
-
Reward points
:
17340
- Joined: 4/29/2010
-
Status: offline
|
Re:protection SCCM
Thursday, May 24, 2012 1:21 AM
( permalink)
Thank's for you link to " thank you very much" so, how i can setting Group Policy preferences?
|
|
|
|
msmith515
-
Total Posts
:
109
- Scores: 5
-
Reward points
:
23270
- Joined: 11/30/2008
- Location: Brisbane, QLD, Australia
-
Status: offline
|
Re:protection SCCM
Thursday, May 24, 2012 1:27 AM
( permalink)
|
|
|
|
Qer
-
Total Posts
:
56
- Scores: 0
-
Reward points
:
17340
- Joined: 4/29/2010
-
Status: offline
|
Re:protection SCCM
Thursday, May 24, 2012 4:42 AM
( permalink)
Thank you..but do you have other way? because i can't find gpp.
|
|
|
|
CAP
-
Total Posts
:
143
- Scores: 0
-
Reward points
:
34860
- Joined: 12/9/2011
-
Status: offline
|
Re:protection SCCM
Thursday, May 24, 2012 8:39 AM
( permalink)
Talk to management as stated above. Also look into removing admin rights for users. Group policy allows you to protect services only putting gorups that start or start that particular service. Like stated above get with management all companies have some type user acceptance policy for workstations. This could fall under a violation of that policy.
|
|
|
|
jsandys
-
Total Posts
:
1395
- Scores: 131
-
Reward points
:
58420
- Joined: 3/24/2005
- Location: San Antonio, TX
-
Status: offline
|
Re:protection SCCM
Thursday, May 24, 2012 11:13 AM
( permalink)
Taking away local admin permissions, as stated above by the others, is the *only* way to address this issue. If a user is a local admin, nothing you can do will stop them from doing whatever they want on the system.
|
|
|
|