none
Remote Control Permissions

    Question

  • Hi all,

    We are using the configuration manager 2007 Sp2 R3 system to control our workstations. Few days ago I've performed some permissions adjustments to allow the support desk personnel use all the features they need and the end goal is to limit their permissions to workstations only and then add the servers to the list.

    All looks OK, however I've stumped on a problem:

    The remote control settings are being allowed on a site level. This creates a problem: while the support desk can't see the servers as the don't have permissions for that, they could simply remote desktop to it.

    How can we make sure that the remote control policy only allows them to connect to workstations? Maybe (not install the remote control agent during the ccmsetup) OR (disable the remote control agent on servers after the install)?

    Any ideas?


    Regards, Leonid
    Thursday, June 23, 2011 12:14 PM

Answers

  • I would like to correct myself - the error message is shown only on the SCCM server itself, not others. The "ConfigMgr Remote Control Users"group is in the "allow log on through remote desktop services" right and they can logon to those servers as users.

    Eventually, we had no choice except deselecting the "configure remote desktop" on the SCCM agent level and configuring it on the GPO level of the client workstations.

    NOW the helpdesk users cannot connect via RDP to any of the servers.


    Regards, Leonid
    • Marked as answer by Venom83 Monday, June 27, 2011 12:42 PM
    Monday, June 27, 2011 12:42 PM

All replies

  • you can not ristrict the remote control permissions to servers or desktops rather you can provide the remote control permissions to collections (create a collection with all desktopns excluding the servers) and they will be able to remote control of systems. AFAIK

    Go to security rights-->rights--user--click on manage user rights

    http://technet.microsoft.com/en-us/library/bb680648.aspx


    //Eswar Koneti @ www.eskonr.com
    • Marked as answer by Venom83 Thursday, June 23, 2011 2:47 PM
    • Unmarked as answer by Venom83 Monday, June 27, 2011 10:33 AM
    Thursday, June 23, 2011 12:42 PM
  • Yea, looks like it was already in place :)

    I thought that if they are members of the "ConfigMgr Remote Control Users" group, they can use RDP, but as it turned out, the answer is NO.

    Trying to login as helpdesk user to a server using RDP results in error that states that the user does not has remote login permissions. This is despite the fact that the "ConfigMgr Remote Control Users" group is in the "allow log on through remote desktop services".

    Thanks!


    Regards, Leonid
    Thursday, June 23, 2011 2:47 PM
  • I would like to correct myself - the error message is shown only on the SCCM server itself, not others. The "ConfigMgr Remote Control Users"group is in the "allow log on through remote desktop services" right and they can logon to those servers as users.

    Eventually, we had no choice except deselecting the "configure remote desktop" on the SCCM agent level and configuring it on the GPO level of the client workstations.

    NOW the helpdesk users cannot connect via RDP to any of the servers.


    Regards, Leonid
    • Marked as answer by Venom83 Monday, June 27, 2011 12:42 PM
    Monday, June 27, 2011 12:42 PM