There are several ways to lock down the control panel I will address the one I know or found. Since this has come up in other forums and newsgroups I thought I would add my 2 cents.
Why would you want to lock it down. Well, if you have a user that is an admin on their machine they might revolt and turn off the service or fool around with the cache to prevent SMS from doing its job. It is a fact of life that some users will have admin rights to their machine. This will hopefully deter or slow them down. There isn't a way to totally stop them.
1. Hide the SMS Control Panel for current user (Systems Managment)
This will require a restart, force it or just wait for them to restart.
-------no show.reg------------------
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Control Panel\don't load]
"SMSCFGRC.cpl"="No"
---------------------------------------------
2. Disable sections of the Contol Panel [Courtesy of Rune Norberg, MS Newsgroup]
For site assignment:>
HKLM\Software\Microsoft\SMS\Mobile Client\Configuration\CP Site Assignment> Options=Disabled (REG_SZ)
For cache:>
HKLM\Software\Microsoft\SMS\Mobile Client\Configuration\CP Cache> Options=Disabled (REG_SZ)
----------------------------------
3. Restart CCM Service on remote machine
If the admin keeps turning off the service you can setup a scheduled task to run say every 3 hours to turn it back on. If they turn off WMI then you have a problem but you can use this to give you a return value if it is failing to start it.
-------------restart sms agent.vbs------------
strComputer = "YourComputer"
strCommand = "net start ccmexec"
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set oStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = oStartup.SpawnInstance_
objConfig.ShowWindow = 1
Set oProcess = objWMIService.Get("Win32_Process")
intReturn = oProcess.Create (strCommand, Null, objConfig, intProcessID)
‘’use the intReturn if you want to log success or failure, maybe they turned off Dcom or WMI
--------------------------------------
None of these are top secret and it will only take a little bit of digging for them to fix it. But it will deter some people. You can only try so much.
