Re: Remote Desktop Users and Least User Rights


"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23Qmbymv0HHA.4184@xxxxxxxxxxxxxxxxxxxxxxx
Thomas M. <NoEmailReplies@xxxxxxxxxx> wrote:
We have undertaken a project to switch all of our users to standard
user accounts (no administrative rights on the local machine). We
have many users that are setup so that they can access their
computers from home. We've noticed that when the user is removed from
the Administrators group, the list of authorized remote users (My
Computer > Properties >
Remote tab > Select Remote Users) gets wiped out. An administrator
then has to log on to the machine and add the user back to the list.

I can see why this would happen, but it does present something of a
problem for us. I would prefer not to have to manually fix this
problem on hundreds of machines. Is there a way that we can retain
the list of authorized remote users when we remove the employees
administrative rights on the machine? Also, is there some way--perhaps a
script--that we can identify the machines were remote users have been
setup?

--Tom

Do you use AD? I'd surely hope so, if you have hundreds of machines.

If so, you have several options - you could use Restricted Groups (via
group policy) to add an AD group to each local workstation's RemoteDesktop
group, or you could create a simple startup script assigned via GPO to add
them. Restricted groups can be handy, but they can also be a bit of a PITA
as they will always replace the entire local group membership with
whatever you defined (rather than merely adding). So, I tend to use the
startup script method.

Also, I personally don't set up a one-to-one relationship between a domain
user & his/her workstation; if that PC isn't working, I want them to be
able to connect to another that is. Hence, I don't add only Joe to Joe's
computer "Remote Desktop Users" group.

E.g., you could set up AD security groups called LocalAdmins,
LocalPowerUsers, LocalRDUsers.

The batch file would have this:
........
net localgroup administrators DOMAIN\localadmins /add
net localgroup power users DOMAIN\localpowerusers /add
net localgroup remote desktop users DOMAIN\LocalRDUsers /add
........

You can create/link a new GPO at the appropriate OU where your computers
live (if you haven't created custom ones, you'll need to - unless you're
using SBS, which creates its own hierarchy).

Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
(startup/shutdown)
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in the
window here
Exit/apply/ok/finish whatever

All the computers in this OU should have the startup script applied when
they restart, and you can now control all this centrally, while sitting
comfortably at your desk eating bon-bons. Add whomever you like (whether
individual users, or other AD security groups) to the LocalRDUsers group
and they'll have access.

Kudos on the plan to secure your workstations - users shouldn't run
w/admin rights.


Thanks for the information.

We do run AD, but I currently don't have the rights for doing group
policies. Before I'm given those rights I need to jump through a few hoops
by taking a group policy class and basically proving that I'm not a total
chowder head. I think they call it quality control! :-)

That being said, I am planning on using the Restricted Groups policy to
accomplish some of our goals. I'm told that the Restricted Groups policy
alone does not get us all the way there in terms of restricting user rights,
and that it does, as you point out, come with it's own bag of issues. Guess
I'll have to take the class to get more information on that. In the mean
time, I'll run your ideas by someone who does have the permissions to work
with our group policies and we'll test them out.

I'm not sure why the users with remote access were setup the way they were.
That was all done before I was hired. We do have a Citrix farm with a
couple of Citrix admins. It seems to me that we could just setup access
through our Citrix portal to whatever applications people need to use from
remote locations and avoid the issue on the desktop entirely.

--Tom


.

Relevant Pages

  • Re: Remote Desktop Users and Least User Rights
    ... user accounts (no administrative rights on the local machine). ... have many users that are setup so that they can access their ... from the Administrators group, the list of authorized remote users ... Remote tab> Select Remote Users) gets wiped out. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Remote Desktop Users and Least User Rights
    ... user accounts (no administrative rights on the local machine). ... have many users that are setup so that they can access their ... from the Administrators group, the list of authorized remote users ... Remote tab> Select Remote Users) gets wiped out. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Remote Desktop with GPO
    ... Allow users to connect remotely using terminal services. ... You can use this setting to configure Terminal Services remote access for the target computers. ... If the status is set to Disabled, the target computers maintain current connections, but will not accept any new incoming connections. ... >I have set up a GPO linked to an OU to "Allow administrators to connect ...
    (microsoft.public.windows.group_policy)
  • Re: Remote Desktop with GPO
    ... >I have set up a GPO linked to an OU to "Allow administrators to connect ... > computers within this OU with an administrator account, ... > stating that the computer might not be available or remote desktop is not ... I am not using the server to try and connect to these machines, ...
    (microsoft.public.windows.group_policy)
  • Re: Admins with limited rights
    ... Hardware is not an issue scince these are remote ... - having the ability to change own rights ... member of Administrators; give admin 2 and 3 rights as required but do NOT ...
    (microsoft.public.security)