(imported topic written by chipjnr)
Hi,
Some users set the BES Client service to disabled/manual to prevent the workstations rebooting after patches have been deployed. I’d like to lock down the BES Client service so they can’t change the Startup type or Stop the service.
The user would be local administrator on the box so can this be done?
Regards,
Neil
(imported comment written by SystemAdmin)
Hi Neil,
I don’t believe Windows will let you stop an administrator from being able to modify services in this way.
The best you could do is have another service restart the BES Client if an administrator does this.
(imported comment written by BenKus)
Hey Neil,
Tyler is correct and an administrator has full-authority on the computer by design. Any trick you put in place can be undone by a determined administrator.
Some tools put in place “uninstall passwords” or hook the OS to prevent shutdown of services, but not only are these defeatable, but they are potentially destabilizing. They can also cause extra administrative overhead which can be annoying and costly.
Note that you will always see the “Last Report Time” of computers and if you are using BES Asset Discovery, you can find computers with the agent turned off.
Also, we have built a solution in the past where we have a “watcher” application that will start the BES Client if it is stopped. I can send you info on this if you would like.
Ben
(imported comment written by chipjnr)
Hi Tyler/Ben,
Thanks for your replies. Could you please send me on the info regarding the watcher application?
I had initally set the Recovery action to restart the service but the administrator changed the service startup type to disabled.
Thanks,
Neil
(imported comment written by StacyLee)
If your computers are in a Active Directory Domain you could force BES Client Service setting to automatic via GPO. The local administrator could still stop and disable it but it would be set back to automatic upon the next GPO refresh. I’m not sure if the service would restart with the restart failure setting though.
(imported comment written by go4u)
Hi Ben,could u send a copy about the “watcher” application to my email list in the forum?thanks!
(imported comment written by BenKus)
Hi go4u,
I am attaching a Fixlet that will download and run the client watcher program. If the client watcher is running, it will take care of restarting the BES Client service if it is stopped and it also will change the status from “Manual” or “Disabled” back to “Automatic”. More information is in the Fixlet text.
Some of my tests showed that the logging wasn’t being written out properly and I will investigate further, but it appears to work other than that.
You must be logged in as your user account to see the attached Fixlet.
Note that this has not been extensively tested and is provided “as-is” with no guarantees.
Let me know if you see any issues,
Ben
(imported comment written by Yuvaraj_Devadass)
Hi Ben,
when I import watcher.bes file in TEM console I am getting below error.
Content Import Error
The content in ‘attachment_14745116_client_watcher.bes’ could not be imported.
XML parsing error:
‘>’ expected.
Line 84, Character 22
OK
(imported comment written by BenKus)
I just tried it again and it worked… You might look at the .bes (xml) file to see if it looks formatted properly… it is possible some network filtering device changed it when you downloaded it?
Ben
(imported comment written by Yuvaraj_Devadass)
Thanks Ben! I am able to view the script now… and its working fine
one more info after reboots the system besclientwatcher.exe not running in the endpoints do we have any solution for that ? thanks in advance
(imported comment written by rkc91)
Ben
Is there a way to change time on this fixlet from 30 seconds to 1 hour
rkc
(imported comment written by SystemAdmin)
Here’s an updated version of the client watcher that will take a command line argument for the wait time.
http://support.bigfix.com/download/bes/util/besclientwatcher-1.2.exe
To set it to an hour you would run it like this:
besclientwatcher-1.2.exe -w 3600
Would someone be willing to change the Fixlet to make use of this?
(imported comment written by go4u)
Tyler Duni
Here’s an updated version of the client watcher that will take a command line argument for the wait time.
http://support.bigfix.com/download/bes/util/besclientwatcher-1.2.exe
To set it to an hour you would run it like this:
besclientwatcher-1.2.exe -w 3600
Would someone be willing to change the Fixlet to make use of this?
version of besclientwatcher-1.1.exe is “1.1.0.0”
but version of besclientwatcher-1.2.exe is “0.0.0.0” ?
so maybe need to change the version part of besclientwatcher-1.2.exe because when exists besclientwatcher-1.1.exe ,we could replace it with a newer one such as 1.2
(imported comment written by go4u)
Tyler Duni
Here’s an updated version of the client watcher that will take a command line argument for the wait time.
http://support.bigfix.com/download/bes/util/besclientwatcher-1.2.exe
To set it to an hour you would run it like this:
besclientwatcher-1.2.exe -w 3600
Would someone be willing to change the Fixlet to make use of this?
Try this,
action part:
//enter the time action parameter query
"time" with description
"Please enter your desired time (seconds)" and with
default value
"60"
// check to see if the watcher was downloaded already... if so, run it sliently..
if
{exists file
"besclientwatcher.exe" of parent folder of regapp
"besclient.exe"
} runhidden
"{pathname of parent folder of regapp "besclient.exe
"}\besclientwatcher.exe" -w
"{parameter "time
" of action}"
// if not already downloaded, download and run silently...
else prefetch besclientwatcher.exe sha1:5c0b057c37e3f23e987ee2472187e0a9324aaea7 size:1282114 http:
//support.bigfix.com/download/bes/util/besclientwatcher-1.2.exe copy __download\besclientwatcher.exe
"{pathname of parent folder of regapp "besclient.exe
"}\besclientwatcher.exe" runhidden
"{pathname of parent folder of regapp "besclient.exe
"}\besclientwatcher.exe" -w
"{parameter "time
" of action}" endif
I tested it .It works ok!
(imported comment written by Yuvaraj_Devadass)
Hi,
I have done the fixlet below script but when I do take action getting failed, request to check the script once. Thanks in advance.
//enter the time action parameter query “time” with description “Please enter your desired time (seconds)” and with default value “60”
// check to see if the watcher was downloaded already… if so, run it sliently…
if {exists file “besclientwatcher.exe” of parent folder of regapp “besclient.exe”}
runhidden “{pathname of parent folder of regapp “besclient.exe”}\besclientwatcher.exe” -w “{parameter “time” of action}” // if not already downloaded, download and run silently…
else prefetch besclientwatcher.exe sha1:5c0b057c37e3f23e987ee2472187e0a9324aaea7 size:1282114
http://support.bigfix.com/download/bes/util/besclientwatcher-1.2.exe
copy __download\besclientwatcher.exe"{pathname of parent folder of regapp “besclient.exe”}\besclientwatcher.exe"
runhidden “{pathname of parent folder of regapp “besclient.exe”}\besclientwatcher.exe” -w “{parameter “time” of action}”
endif
(imported comment written by mc116991)
You can prevent admins from stopping or changing the properties of the service by setting permissions on the service itself at the domain level. Create a domain group and add to it any members that should not have access to start/stop/pause BES Client service. Then set the permissions for this service so this group has an explicit deny. This will override any allow that their admin permissions might have. Deny always wins. We use this with great success–many of our users are admins and they just love to disable AV…
(imported comment written by BenKus)
FYI… This could help: