Re: Remote Desktop Users and Least User Rights
- From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 30 Jul 2007 17:48:44 -0400
Thomas M. <NoEmailReplies@xxxxxxxxxx> wrote:
We have undertaken a project to switch all of our users to standard
user accounts (no administrative rights on the local machine). We
have many users that are setup so that they can access their
computers from home. We've noticed that when the user is removed from
the Administrators group, the list of authorized remote users (My Computer
> Properties >
Remote tab > Select Remote Users) gets wiped out. An administrator
then has to log on to the machine and add the user back to the list.
I can see why this would happen, but it does present something of a
problem for us. I would prefer not to have to manually fix this
problem on hundreds of machines. Is there a way that we can retain
the list of authorized remote users when we remove the employees
administrative rights on the machine? Also, is there some way--perhaps a
script--that we can identify the machines were remote users have been
setup?
--Tom
Do you use AD? I'd surely hope so, if you have hundreds of machines.
If so, you have several options - you could use Restricted Groups (via group
policy) to add an AD group to each local workstation's RemoteDesktop group,
or you could create a simple startup script assigned via GPO to add them.
Restricted groups can be handy, but they can also be a bit of a PITA as they
will always replace the entire local group membership with whatever you
defined (rather than merely adding). So, I tend to use the startup script
method.
Also, I personally don't set up a one-to-one relationship between a domain
user & his/her workstation; if that PC isn't working, I want them to be able
to connect to another that is. Hence, I don't add only Joe to Joe's computer
"Remote Desktop Users" group.
E.g., you could set up AD security groups called LocalAdmins,
LocalPowerUsers, LocalRDUsers.
The batch file would have this:
.........
net localgroup administrators DOMAIN\localadmins /add
net localgroup power users DOMAIN\localpowerusers /add
net localgroup remote desktop users DOMAIN\LocalRDUsers /add
.........
You can create/link a new GPO at the appropriate OU where your computers
live (if you haven't created custom ones, you'll need to - unless you're
using SBS, which creates its own hierarchy).
Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
(startup/shutdown)
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in the
window here
Exit/apply/ok/finish whatever
All the computers in this OU should have the startup script applied when
they restart, and you can now control all this centrally, while sitting
comfortably at your desk eating bon-bons. Add whomever you like (whether
individual users, or other AD security groups) to the LocalRDUsers group and
they'll have access.
Kudos on the plan to secure your workstations - users shouldn't run w/admin
rights.
.
- References:
- Remote Desktop Users and Least User Rights
- From: Thomas M.
- Remote Desktop Users and Least User Rights
- Prev by Date: Re: lsass.exe How much I/O should it be doing?
- Next by Date: Re: lsass.exe How much I/O should it be doing?
- Previous by thread: Remote Desktop Users and Least User Rights
- Next by thread: Re: System Alert Icon
- Index(es):
Relevant Pages
|
