windows 如何防止应用程序被用户卸载(无管理员权限)?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4900857/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
how to prevent application to be uninstalled by a user (w/o admin rights)?
提问by Andriy Tylychko
I need to forbid to uninstall an application (not a service!) by a user w/o some special rights. How to do this? installation will be done by domain administrator
我需要禁止没有某些特殊权限的用户卸载应用程序(不是服务!)。这该怎么做?安装将由域管理员完成
thanks for your time
谢谢你的时间
[EDIT] also I need to prevent removing the application from windows startup
[编辑] 我还需要防止从 Windows 启动中删除应用程序
[EDIT1] to clarify: application is simple and is installed in its folder and added to windows startup (actually to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry). What I need exactly is to forbid to remove this folder and this registry key, for ordinal users, not for local admins.
[EDIT1] 澄清:应用程序很简单,安装在其文件夹中并添加到 Windows 启动(实际上是到 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 注册表)。我真正需要的是禁止为普通用户而不是本地管理员删除此文件夹和此注册表项。
回答by rene
[updated] the file location is easy. That is simple revoking write permission on the folder and all its subfolders and files for Builtin\Users, and giving Builtin\Administrators full permmision. You can set this via the Explorer, properties-> permissions or commandline wise with cacls (or icalcs if you're on win7)
[更新] 文件位置很容易。这很简单,撤销对 Builtin\Users 文件夹及其所有子文件夹和文件的写权限,并给予 Builtin\Administrators 完全许可。您可以通过资源管理器、属性-> 权限或命令行明智地使用 cacls(或 icalcs,如果您使用的是 win7)进行设置
The regkey is on my win7 box already only readable (not writeable) by Users and read/write by local admins (regedit -> Context menu -> Persmissions).
regkey 在我的 win7 机器上,已经只能由用户读取(不可写入)并且由本地管理员读取/写入(regedit -> 上下文菜单 -> 权限)。
If it still doesn't behave like you want figure out what groups a normal user is in (also domain groups) and then check how those groups are propagated to the local machine.
如果它仍然不像您想弄清楚普通用户所在的组(也是域组),然后检查这些组如何传播到本地计算机。
And as sugested by Ben in the comments, you might start a new question on Server Fault.
正如 Ben 在评论中所暗示的那样,您可能会在 Server Fault 上提出一个新问题。
[end update]
[结束更新]
[before edite response] I doubt you can disallow the uninstall of 'one' application. By means of a Group Policy you can "Pohibit removal of updates"
[编辑回复之前] 我怀疑您是否可以禁止卸载“一个”应用程序。通过组策略,您可以“禁止删除更新”
(in GPedit.msc under Computer Config/Admin templates/windows components/windows installer)
(在计算机配置/管理模板/Windows 组件/Windows 安装程序下的 GPedit.msc 中)
The Group Policy is set by a domain admin and is enforced across the domain so it doesn't require 'persmissions'. But you need off course to also prevent local admins from editing the local group policy.
组策略由域管理员设置并跨域强制执行,因此不需要“权限”。但是您当然还需要防止本地管理员编辑本地组策略。
Another more daunting option would be to use a group policy in the Software Rectriction part of Security Settings. Here you can enter a path policy for the name of the msi or exe file that you do not want to be run.
另一个更令人生畏的选择是在安全设置的软件限制部分使用组策略。您可以在此处为不想运行的 msi 或 exe 文件的名称输入路径策略。
Both require validating/testing to prevent that to much restriction prevent everybody from starting anything...
两者都需要验证/测试以防止过多的限制阻止每个人开始任何事情......
回答by saschabeaumont
If an application requires administrative rights to be installed, then non-administrators will not have permission to remove it.
如果应用程序需要安装管理权限,则非管理员将无权删除它。
If the users have local administrative rights, then you can't prevent anything.
如果用户具有本地管理权限,则您无法阻止任何事情。
