none
Remote Tools not working for Non-admin users for workstations SCCM 2007 SP2

    Question

  • Hello,

    I am working on setting our helpddesk with access to the Remote tools function in SCCM. I have already seup the console on thier systems, which is working fine, instance rights are set and they are able to view the console and the collection I gave them rights to with no problem. They also have Membership in the local ConfigMgr remote control Users group. DCOM permissions are setup correctly as well. Our Helpdesk is also a member of the SMS Admin group as well.

    When they start the Remote tools by right clicking a PC then Start Remote tools they are prompted for a Username and password, attempts to login fail. Our Desktop group is able to login with no problems and no prompt for password. Desktop is part of the Local Admin group, I am not able to add the Helpdesk to this group.

    I am just trying to find what I am missing here. This probably something simple that I have overlooked, I have been searching google, and the only reference I can find is on the DCOM permissions 

     

    Any help would be appreciated.

    Steve


    Monday, August 08, 2011 6:19 PM

Answers

  • For the most part adding our help desk group to the Local DCOM Users group has solved this problem for XP PC's, still having problems with Windows 7 and the Remote Tools. The Help desk is a group of Non admins, another group that we have is part of the Local Admins group and can connect to Windows 7 PC's without any problems, the Helpdesk is prompted for credentials, which fails when they attempt to login.

    I have seen this in other posts as well and the answer usually points at DCOM, but there something else I am still missing, anyone have any ideas?

    Steve

    • Marked as answer by SteveRinMA Thursday, October 06, 2011 3:56 PM
    Thursday, September 01, 2011 1:56 PM

All replies

  • If you just want them to use RC I wouldn't give them the console. All they need is the .exe. Another good option for Support Desk folks is Ron's Web Tools which is free and it allowed them to install software, use RC and several other nice little tools.

     

     


    John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|
    Monday, August 08, 2011 6:40 PM
  • I doubt I will be able to get that tool to pass through Mgmt. Have not tested just using the RC. I am using the console for I want any connection logged on the SCCM server. I also found you can add the logging option to the shortcut. At another job I was working at the helpdesk was worrking with the console, I was not the one to set this up though.

    For a test I did, I added a single user to the Admin group of a local PC, and they were able to remote to the PC using the console, so it seems just a matter of what I need to give them permissions to on the local PC. From the Console they are able to access the Resource Explorer and look at inventory for the PC. I also first gave them Read access to the RemCtrl dir, all this did was stop the Password prompt, adding Full control no difference, just no prompt, no failures show up in the SCCM Remote Control log.

    Monday, August 08, 2011 10:10 PM
  • Have you checked the details of permissions mentioned in the technet articles below? and please note - Limit the Permitted Viewers list Local administrator rights are not required for a user to be able to use Remote Tools. If the collection and Permitted Viewers list security is met, the Remote Tools user can use Remote Tools on the client.

    http://technet.microsoft.com/en-us/library/bb693761.aspx

    http://technet.microsoft.com/en-us/library/bb694030.aspx

    http://technet.microsoft.com/en-us/library/bb694296.aspx


    Anoop C Nair - This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, August 09, 2011 2:19 AM
  • I checked the above settings and I have applied everything as well prior to this posting. I copied rc.exe and rdpencom.dll to a system used by the help desk, and they are not able to run this as well. I was able to use it using run as and using my credentials I also provided full control of the folder rc.exe is in. If I was to give the user admin rights to a target PC but not to thier PC, the Remote Control will work through the console. Giving the Helpdesk Admin rights is not an option though.

    In the end if I am able to get this working just rc.exe, I would need to have this setup to log any sessions to the SCCM server for tracking purposes, so would be able run reports for specific users remoting to PC's and vice versa.

    Tuesday, August 09, 2011 4:18 PM
  • Please enable the policy mentioned in the following article and see if it can resolve the issue.

    User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
    http://technet.microsoft.com/en-us/library/dd851479.aspx 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Wednesday, August 10, 2011 6:58 AM
  • Hi Arthur - Is this applicable only for Windows 2008 servers? How about others?
    Anoop C Nair - This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, August 10, 2011 7:11 AM
  • I enabled policy on a Windows 7 PC, when user is in the console, they right click the PC name, from menu Start|Remote Tools I see a quick Hour glass like it is thinking and that dissapears. Is there a log file that tracks Remote control failed attempts? If I can see the error at least then I have something to go on. I tried looking in the general logs, and the Staus logs.
    Wednesday, August 10, 2011 2:21 PM
  • In testing permissions I added the Helpdesk to the Power Users group, minus the enabled policy mentioned above and this worked without issue. Next I removed them the Power Users group, added them to the Local DCOM group and they were able to access the system without any problem.

    Now that I was able to get this to work is there any alternative to adding them to the DCOM group or Security concerns involved with this? I had already provided the ConfigMGR Remote Group with Full Control permissions on the local PC for all the SMS components so what I do not understand is why this would not have worked as well.

    Wednesday, August 10, 2011 7:22 PM
  • For the most part adding our help desk group to the Local DCOM Users group has solved this problem for XP PC's, still having problems with Windows 7 and the Remote Tools. The Help desk is a group of Non admins, another group that we have is part of the Local Admins group and can connect to Windows 7 PC's without any problems, the Helpdesk is prompted for credentials, which fails when they attempt to login.

    I have seen this in other posts as well and the answer usually points at DCOM, but there something else I am still missing, anyone have any ideas?

    Steve

    • Marked as answer by SteveRinMA Thursday, October 06, 2011 3:56 PM
    Thursday, September 01, 2011 1:56 PM
  • Hi Steve,

    I've run into this issue on windows 7 machines specifically x64.  It appears that my heldpesk agents didn't have access to c:\windows\syswow64\clicomp\remctrl\rclaunch.exe as they were not local admins.

    created a collection of windows 7 x64 machines and threw this command out and remote tools is working properly.

    cmd /c ICACLS c:\Windows\SysWOW64\CCM\clicomp\RemCtrl\RCLaunch.exe /grant "ConfigMgr Remote Control Users":M

    Josh

    Wednesday, November 30, 2011 9:56 PM