You want to make sure users with local administrative permissions cannot disable the Umbrella Roaming service.
Note: If the service that you want to configure is not present in the list you will need to install GPMC on a computer that has the service running.
Follow these steps on a Windows 2003/2008 Domain Controller:
- Create a New Security Group in Active Directory called Umbrella_Roaming.
This is required as you may already have a security group that contains different members of Domain Admins.
- Open the Group Policy Editor (Start > Run > Type:
gpmc.msc>) and create a New Group Policy object called Umbrella.
- Edit the new group policy and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services.
- Scroll through the listed services until you reach the Umbrella Roaming Client service.
- Configure the service by double-clicking on the service name, select
Define this policy > select 'Automatic' and then edit the security groups.
- Add the account 'Network Service' and grant Read permissions, remove the Administrators and/or Domain Administrators group as required.
WARNING: DO NOT remove the SYSTEM or INTERACTIVE accounts from the list.
You can now apply the group policy to required containers in the normal way and allow the policy to be applied to the client computers.
You can test the functionality by enabling the GPO and logging onto a client computer as an administrator or as an account with group permissions that you have restricted. Attempting to stop the service should result in the following message being displayed:
Could not stop the service on Local Computer. Error 5: Access is denied.
Or the option to stop the service is grayed out and unavailable. Either of these shows that the GPO has been configured and applied to the client successfully.
If the error message is not shown and you are still able to stop a restricted service check the GPO has been configured correctly and that there are no conflicting GPOs. For more information, consult Microsoft documentation.
Ensure that the relevant admins are added to the Umbrella_Roaming group and the service GPO allows access to the Umbrella_Roaming group.