What Axel said and you could also configure Agent Watcher Settings in you client.

I have a similar issue and so far the best thing I have found is to schedule the agent install every few hours and it will restart all of the services or repair damage caused by the user. Not perfect but it has been working and it is wearing the user down.

Sounds like a real PITA, however, this is more of a procedural issue than a systems issue. It manifests itself as a system issue, but really whatever preventive measurers LANDesk puts into the product the users with the correct credentials (system and/or political) will be able to deactivate. If LANDesk devises a system where a local admin can't really disable the system (somewhat unlikely) these users will use their political powers to remove the LANDesk client from their machines.  Basically, a dog chasing their tail.  Somehow, someway, you need to find a way to get these users in line.  Marketing, smoozing, buy a couple of lunches for management, education, SPONSORSHIP of the process from upper management, murder, intimidation, black mail, mind control, etc... 

I'll try that!  Thanks for the answer...

I was hoping LANDesk would change it so that when services were disabled that the client went back to being "UnManaged"... there are a lot of advantages to that including the posibility of NOT allowing unmanaged devices on your network...

-B

That would require a real-time component, so if anything that would only really work for System Manager.

Basically, if a device has sent inventory in, and has a CBA, we regard it as "managed".

The problem with treating a device as "unmanaged" that we can't reach needs to be considered carefully - essentially you'd either have to treat any device we can't contact as unmanaged (which would likely cause problems for road-warriors and other mobile users), or you'd need a separate "LANDesk health" service (which may or may not be stealthed), but the problem there is that local admins would again have the powers to shoot that one down.

At the end of the day, as has been suggested, the problem is more of a political one. If a local admin user is "dead set" to making your life needlessly difficult, there's little we can do - GPO's and other automated mechanisms to make sure the settings that you want on the client WILL be on the client are about the only way (since, at the end of the day, those should out-last most stubborn folks who don't get smart and decide to write counter-scripts or whatnot).

If a user is THAT determined to throw a spanner in your works, the solution is not technical, but one of communication, as has been hinted above. Either talk to him, or talk to supervisors and make sure that this policy is pushed down (politically) from above. That way, they'll have to play ball sooner or later. Communication would also allow for dialogue about WHY they're making your life difficult.

Maybe Client component X is causing him issues when he's using "obscure software Z that only he uses" or something like that. There's usually more to those stories other than "I don't wanna" or so .

Paul Hoffmann

LANDesk EMEA Technical Lead

Of course, this, like almost anything else having to do with software installation, is a social issue.

Who do you give admin rights to?  Who gets to be a power user?

Why, like mechanics who drive broken cars, do the IT people that have the strongest credentials have the least-patched and most vulnerable machines?   It's a problem that certainly exists outside of LANDesk.

I guess I was thinking that the LANDesk solution / software suite would do more for me in terms of being a well-rounded security solution.  Enhancements in unmanged machine management in 8.8 SP2 made me think that we could manage a computer from the point it's plugged in to the point it gets thrown away.   And there are parts of that process where LANDesk really shines.

SO don't get me wrong, I LOVE the product.  Really.

But, come on!   Right now there are at least 12 processes running on my PC that are owned by LANDesk.  I thought at least ONE of them would monitor whether or not the client was fully installed and communicating with the CORE.   I thought at least one would notify me if the realtime Antivirus Scanner was unable to start.   Those two issues pose the most threat to "total management".

The irony here is that SoftMon doesn't even seem to monitor LANDesk software!          Sigh.  

Cradle-to-Grave management of computers is what I'm after... and allowing users to turn services off that LANDesk is unable to recover from is a huge hole not only in management but in security.

I'll go ahead and push out a policy through AD that doesn't allow even Administrative users from stopping or disabling the LANDesk services.   But am I the only one that's dissapointed that I have to use a Microsoft tool to monitor a LANDesk tool?   Ladies and Gentlemen, it's supposed to be THE OTHER WAY AROUND!

Thanks for the ideas and comments...  I really appreciate everyone's comments.  

-B