Only Domain Admin should have BESClient service rights

(imported topic written by ivynash)


I want only Domain Administrators to have the full rights to BESClient.exe service, so that nobody (users including local administrator) can stop or disable the “BESClient” service. This is mainly bcoz all the domain users have local administrator rights on the network, they can stop or disable the BESClient service. I have checked “Schedule BES Client Service Restart Using TaskScheduler” task but it is not reliable as the users can delete the windows schedule tasks and disable the service.

Please give me a solution for the same. Looking forward for the solution at the earliest.

Thanks & Regards,


(imported comment written by SystemAdmin)

Hi Ivy,

As far as I know it is not possible to restrict local administrator rights in this way on Windows. Being a local administrator gives you this ability and it isn’t possible for Bigfix to change the OS permission model to support this.

The best you could do would be to create a second service which monitors the BES Client service and re-enables the BES Client if someone shuts it down. If the user is clever enough to find the watcher service you haven’t made any real progress though. So, this is by no means a guarantee and is at best an obscurity.

This is often done through another management service on the computer if available. Ie, an AD script that performs the required operations.

(imported comment written by wolverine23)

Hello Ivynash and Tyler,

Try this, really really works.

subinacl.exe /service “Bes Client” /deny=mydomain{name of current user}=F



(imported comment written by BenKus)

Hey wolverine and all,

Just note that the end-user with Admin rights can simply give themselves permissions right back using a similar commandline trick… But if it works for you, then that is fine from a BigFix functionality stand-point.


(imported comment written by BenKus)

FYI… This might help: