RE: [ActiveDir] Remote Desktop vs. Remote assistance
RA is helping a user... by definition, shadowing... You have the option of allowing control (i.e. move the user's mouse for them)... Can be controlled by user or set through policy. RD is getting to my desk while away to put it simply. They use many identical underlying technologies... Just two different uses for the technology formerly known as terminal services client. As a support person, you can drop in on a user and propose to help them, without them having to email/im/transfer. This IS done through GPO. Look under Computer Configuration \ Administrative Templates. http://support.microsoft.com/default.aspx?scid=kb;en-us;306496 has local gpo steps but same in AD GPO. You CANNOT drop in uninvited AND unaccepted to spy on a user using RA. The user will always be notified that you are RA'ing in and allowed to accept/refuse, to my experience. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 10:30 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Remote Desktop vs. Remote assistance What is the actual diff between RD and RA? If i RD to a winxp desktop, that allows 1 connection. Can someone Shadow it or no? Is there any reason to use one over the other for support? or is RA just easier/better because you can share the session and you can see what a user is doing and interact? Also, is there a gpo or reg hack that allows me as a Domain Admin to RA to a user w/o her asking for RA via and email or im or file transfer or allowing me to log on? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote Desktop vs. Remote assistance
http://support.microsoft.com/default.aspx?scid=kb;en-us;301527 Even better. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 10:30 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Remote Desktop vs. Remote assistance What is the actual diff between RD and RA? If i RD to a winxp desktop, that allows 1 connection. Can someone Shadow it or no? Is there any reason to use one over the other for support? or is RA just easier/better because you can share the session and you can see what a user is doing and interact? Also, is there a gpo or reg hack that allows me as a Domain Admin to RA to a user w/o her asking for RA via and email or im or file transfer or allowing me to log on? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote Desktop vs. Remote assistance
With Remote Desktop, you are going to take over the machine (in the case of XP) kicking off any logged on person in the act of taking over the machine. Your access is the same as the credentials in which you login as. With Remote Access, you need to receive an invitation and the user is not kicked off. Both of you will see what is on the screen, and initially you have view only access. The user has to GIVE you control, and can take it back, in the event that you go nuts and attempt to format the drive, delete files, etc. Not that it would ever happen to you, Tom... ;-) Does that help? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 12:30 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Remote Desktop vs. Remote assistance What is the actual diff between RD and RA? If i RD to a winxp desktop, that allows 1 connection. Can someone Shadow it or no? Is there any reason to use one over the other for support? or is RA just easier/better because you can share the session and you can see what a user is doing and interact? Also, is there a gpo or reg hack that allows me as a Domain Admin to RA to a user w/o her asking for RA via and email or im or file transfer or allowing me to log on? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote Desktop vs. Remote assistance
thanks alot, rick and dan. can you shadow a ts connection to xp like on server? as to the user giving me control, i thought that was just a policy that could be configured, NOT hardwired into the os somehow. I thought if i was a DA and by default then a local admin on the box, when i RA in, i could over rule that setting somehow since i am in actuallity a admin of the box. I only ask because we use VNC here for some help desk stuuf and i wanted to replace it with RA since we are mostly xp on the client but i'm araid with this asking for help stuff and allowing access, my users would get confused awfully quick. they don't adapt well to change. usually, someone here calls them and then says ok, i'm gonna connect to your machine or they might be away and a help desk admin connects to their box. RA doesn't seem to make this as simple as vnc does, i guess. I still wonder how as an admin you can be denied RA access to a box or need permission. is it a local system thing? thanks for all your help and sorry to bore you with my issues. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thursday, July 14, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance With Remote Desktop, you are going to take over the machine (in the case of XP) kicking off any logged on person in the act of taking over the machine. Your access is the same as the credentials in which you login as. With Remote Access, you need to receive an invitation and the user is not kicked off. Both of you will see what is on the screen, and initially you have view only access. The user has to GIVE you control, and can take it back, in the event that you go nuts and attempt to format the drive, delete files, etc. Not that it would ever happen to you, Tom... ;-) Does that help? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 12:30 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Remote Desktop vs. Remote assistance What is the actual diff between RD and RA? If i RD to a winxp desktop, that allows 1 connection. Can someone Shadow it or no? Is there any reason to use one over the other for support? or is RA just easier/better because you can share the session and you can see what a user is doing and interact? Also, is there a gpo or reg hack that allows me as a Domain Admin to RA to a user w/o her asking for RA via and email or im or file transfer or allowing me to log on? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote Desktop vs. Remote assistance
I believe that Dan is correct - it CAN be controlled via policy. But, again with all the policies that get added, I have a hard time keeping up with those functions, as I really don't spend much time on the 'user end', if you will. As to shadowing an Administrative TS session. I seem to remember that you can. The only REAL difference between a Admin TS session and the Application mode is the license method. Included two license for Admin purposes only, while the Application mode needs a lic server to manage the licenses for sessions. However, (and as Dan eloquently stated) I am pulling one out here, I think that you can shadow or Remote Control these sessions as well. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 1:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance thanks alot, rick and dan. can you shadow a ts connection to xp like on server? as to the user giving me control, i thought that was just a policy that could be configured, NOT hardwired into the os somehow. I thought if i was a DA and by default then a local admin on the box, when i RA in, i could over rule that setting somehow since i am in actuallity a admin of the box. I only ask because we use VNC here for some help desk stuuf and i wanted to replace it with RA since we are mostly xp on the client but i'm araid with this asking for help stuff and allowing access, my users would get confused awfully quick. they don't adapt well to change. usually, someone here calls them and then says ok, i'm gonna connect to your machine or they might be away and a help desk admin connects to their box. RA doesn't seem to make this as simple as vnc does, i guess. I still wonder how as an admin you can be denied RA access to a box or need permission. is it a local system thing? thanks for all your help and sorry to bore you with my issues. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thursday, July 14, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance With Remote Desktop, you are going to take over the machine (in the case of XP) kicking off any logged on person in the act of taking over the machine. Your access is the same as the credentials in which you login as. With Remote Access, you need to receive an invitation and the user is not kicked off. Both of you will see what is on the screen, and initially you have view only access. The user has to GIVE you control, and can take it back, in the event that you go nuts and attempt to format the drive, delete files, etc. Not that it would ever happen to you, Tom... ;-) Does that help? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 12:30 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Remote Desktop vs. Remote assistance What is the actual diff between RD and RA? If i RD to a winxp desktop, that allows 1 connection. Can someone Shadow it or no? Is there any reason to use one over the other for support? or is RA just easier/better because you can share the session and you can see what a user is doing and interact? Also, is there a gpo or reg hack that allows me as a Domain Admin to RA to a user w/o her asking for RA via and email or im or file transfer or allowing me to log on? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote Desktop vs. Remote assistance
BOTTOM LINE I think I know what you're saying and RA *is* the answer. Set up RA using GPOs. IN group policy, you add your Help Desk group as the HELPERS group that is allowed to OFFER remote assistance: Computer config\admin templates\system\remote assistance And specify that they are allowed to remotely control the system. That's all you need to do. Now, when a user calls, the help desk says hold on, launches an RA session to the user's desktop. The ONLY potential difference from VNC is that the user will get a little notice that says Dan is wanting to offer remote assistance and will have to click OK. At that point the helper can view, no problem. There is a second confirmation box IF the helper actually launches control. But believe me, the messages are clear enough and the help desk is on the phone anyway, right? So it's not tough to figure out! It beats having a third party app doing the same thing! One less thing to manage (and RA, as part of XP and GPO infrastructure is EASIER to manage), and one less thing to have to keep up with patches on. DETAILS You cannot shadow a ts connection to xp. Remember how it works on a server... the user is ts'd to the server; the support person has a SEPARATE ts to the server and jumps in to the user's ts. It requires multiple TS connections and XP doesn't support that. The ONLY 'shadow' to a THICK client is RA. If XP is TS'd into a TS, then you can shadow that TS connection (as described above). I am working with a high profile client right now and we just 'banished' VNC on XP systems. We found its admin logon encryption lacking, in the version we were using, and, more importantly, it just wasn't necessary. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance thanks alot, rick and dan. can you shadow a ts connection to xp like on server? as to the user giving me control, i thought that was just a policy that could be configured, NOT hardwired into the os somehow. I thought if i was a DA and by default then a local admin on the box, when i RA in, i could over rule that setting somehow since i am in actuallity a admin of the box. I only ask because we use VNC here for some help desk stuuf and i wanted to replace it with RA since we are mostly xp on the client but i'm araid with this asking for help stuff and allowing access, my users would get confused awfully quick. they don't adapt well to change. usually, someone here calls them and then says ok, i'm gonna connect to your machine or they might be away and a help desk admin connects to their box. RA doesn't seem to make this as simple as vnc does, i guess. I still wonder how as an admin you can be denied RA access to a box or need permission. is it a local system thing? thanks for all your help and sorry to bore you with my issues. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thursday, July 14, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance With Remote Desktop, you are going to take over the machine (in the case of XP) kicking off any logged on person in the act of taking over the machine. Your access is the same as the credentials in which you login as. With Remote Access, you need to receive an invitation and the user is not kicked off. Both of you will see what is on the screen, and initially you have view only access. The user has to GIVE you control, and can take it back, in the event that you go nuts and attempt to format the drive, delete files, etc. Not that it would ever happen to you, Tom... ;-) Does that help? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 12:30 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Remote Desktop vs. Remote assistance What is the actual diff between RD and RA? If i RD to a winxp desktop, that allows 1 connection. Can someone Shadow it or no? Is there any reason to use one over the other for support? or is RA just easier/better because you can share the session and you can see what a user is doing and interact? Also, is there a gpo or reg hack that allows me as a Domain Admin to RA to a user w/o her asking for RA via and email or im or file transfer or allowing me to log on? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail
RE: [ActiveDir] Remote Desktop vs. Remote assistance
You cannot shadow a ts connection to xp. Dan - Good clarification. I didn't really differentiate between the CLIENT ts function and the SERVER. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Thursday, July 14, 2005 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance BOTTOM LINE I think I know what you're saying and RA *is* the answer. Set up RA using GPOs. IN group policy, you add your Help Desk group as the HELPERS group that is allowed to OFFER remote assistance: Computer config\admin templates\system\remote assistance And specify that they are allowed to remotely control the system. That's all you need to do. Now, when a user calls, the help desk says hold on, launches an RA session to the user's desktop. The ONLY potential difference from VNC is that the user will get a little notice that says Dan is wanting to offer remote assistance and will have to click OK. At that point the helper can view, no problem. There is a second confirmation box IF the helper actually launches control. But believe me, the messages are clear enough and the help desk is on the phone anyway, right? So it's not tough to figure out! It beats having a third party app doing the same thing! One less thing to manage (and RA, as part of XP and GPO infrastructure is EASIER to manage), and one less thing to have to keep up with patches on. DETAILS You cannot shadow a ts connection to xp. Remember how it works on a server... the user is ts'd to the server; the support person has a SEPARATE ts to the server and jumps in to the user's ts. It requires multiple TS connections and XP doesn't support that. The ONLY 'shadow' to a THICK client is RA. If XP is TS'd into a TS, then you can shadow that TS connection (as described above). I am working with a high profile client right now and we just 'banished' VNC on XP systems. We found its admin logon encryption lacking, in the version we were using, and, more importantly, it just wasn't necessary. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance thanks alot, rick and dan. can you shadow a ts connection to xp like on server? as to the user giving me control, i thought that was just a policy that could be configured, NOT hardwired into the os somehow. I thought if i was a DA and by default then a local admin on the box, when i RA in, i could over rule that setting somehow since i am in actuallity a admin of the box. I only ask because we use VNC here for some help desk stuuf and i wanted to replace it with RA since we are mostly xp on the client but i'm araid with this asking for help stuff and allowing access, my users would get confused awfully quick. they don't adapt well to change. usually, someone here calls them and then says ok, i'm gonna connect to your machine or they might be away and a help desk admin connects to their box. RA doesn't seem to make this as simple as vnc does, i guess. I still wonder how as an admin you can be denied RA access to a box or need permission. is it a local system thing? thanks for all your help and sorry to bore you with my issues. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thursday, July 14, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance With Remote Desktop, you are going to take over the machine (in the case of XP) kicking off any logged on person in the act of taking over the machine. Your access is the same as the credentials in which you login as. With Remote Access, you need to receive an invitation and the user is not kicked off. Both of you will see what is on the screen, and initially you have view only access. The user has to GIVE you control, and can take it back, in the event that you go nuts and attempt to format the drive, delete files, etc. Not that it would ever happen to you, Tom... ;-) Does that help? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 12:30 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Remote Desktop vs. Remote assistance What is the actual diff between RD and RA? If i RD to a winxp desktop, that allows 1 connection. Can someone Shadow it or no? Is there any reason to use one over the other for support? or is RA just easier/better because you can share the session and you can see what a user is doing and interact? Also, is there a gpo or reg hack that allows me as a Domain Admin to RA to a user w/o her asking for RA via and email or im or file transfer or allowing me to log on? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org
RE: [ActiveDir] Remote Desktop vs. Remote assistance
Just for reference: Use following to create shortcuts to remote assistance UIs. 1. Offer remote assistance: explorer.exe hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assis tance/Escalation/Unsolicited/Unsolicitedrcui.htm 2. Ask for assistance: rcimlby.exe -LaunchRA Note that first one is one line command, watch for line wrapping. 3. Auto Accept and Take Control for Remote Assistance: http://www.anetforums.com/posts.aspx?ThreadIndex=3115 -- Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, July 14, 2005 11:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance You cannot shadow a ts connection to xp. Dan - Good clarification. I didn't really differentiate between the CLIENT ts function and the SERVER. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Thursday, July 14, 2005 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance BOTTOM LINE I think I know what you're saying and RA *is* the answer. Set up RA using GPOs. IN group policy, you add your Help Desk group as the HELPERS group that is allowed to OFFER remote assistance: Computer config\admin templates\system\remote assistance And specify that they are allowed to remotely control the system. That's all you need to do. Now, when a user calls, the help desk says hold on, launches an RA session to the user's desktop. The ONLY potential difference from VNC is that the user will get a little notice that says Dan is wanting to offer remote assistance and will have to click OK. At that point the helper can view, no problem. There is a second confirmation box IF the helper actually launches control. But believe me, the messages are clear enough and the help desk is on the phone anyway, right? So it's not tough to figure out! It beats having a third party app doing the same thing! One less thing to manage (and RA, as part of XP and GPO infrastructure is EASIER to manage), and one less thing to have to keep up with patches on. DETAILS You cannot shadow a ts connection to xp. Remember how it works on a server... the user is ts'd to the server; the support person has a SEPARATE ts to the server and jumps in to the user's ts. It requires multiple TS connections and XP doesn't support that. The ONLY 'shadow' to a THICK client is RA. If XP is TS'd into a TS, then you can shadow that TS connection (as described above). I am working with a high profile client right now and we just 'banished' VNC on XP systems. We found its admin logon encryption lacking, in the version we were using, and, more importantly, it just wasn't necessary. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance thanks alot, rick and dan. can you shadow a ts connection to xp like on server? as to the user giving me control, i thought that was just a policy that could be configured, NOT hardwired into the os somehow. I thought if i was a DA and by default then a local admin on the box, when i RA in, i could over rule that setting somehow since i am in actuallity a admin of the box. I only ask because we use VNC here for some help desk stuuf and i wanted to replace it with RA since we are mostly xp on the client but i'm araid with this asking for help stuff and allowing access, my users would get confused awfully quick. they don't adapt well to change. usually, someone here calls them and then says ok, i'm gonna connect to your machine or they might be away and a help desk admin connects to their box. RA doesn't seem to make this as simple as vnc does, i guess. I still wonder how as an admin you can be denied RA access to a box or need permission. is it a local system thing? thanks for all your help and sorry to bore you with my issues. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thursday, July 14, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance With Remote Desktop, you are going to take over the machine (in the case of XP) kicking off any logged on person in the act of taking over the machine. Your access is the same as the credentials in which you login as. With Remote Access, you need to receive an invitation and the user is not kicked off. Both of you will see what is on the screen, and initially you have view only access. The user has to GIVE you control, and can take it back, in the event that you go nuts and attempt to format the drive, delete files, etc. Not that it would ever happen to you, Tom... ;-) Does that help? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED
RE: [ActiveDir] Remote Desktop vs. Remote assistance
Well, isn't that convenient? Thanks much, I've been wondering that for months now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexander Suhovey Sent: Thursday, July 14, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance Just for reference: Use following to create shortcuts to remote assistance UIs. 1. Offer remote assistance: explorer.exe hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20A ssis tance/Escalation/Unsolicited/Unsolicitedrcui.htm 2. Ask for assistance: rcimlby.exe -LaunchRA Note that first one is one line command, watch for line wrapping. 3. Auto Accept and Take Control for Remote Assistance: http://www.anetforums.com/posts.aspx?ThreadIndex=3115 -- Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, July 14, 2005 11:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance You cannot shadow a ts connection to xp. Dan - Good clarification. I didn't really differentiate between the CLIENT ts function and the SERVER. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Thursday, July 14, 2005 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance BOTTOM LINE I think I know what you're saying and RA *is* the answer. Set up RA using GPOs. IN group policy, you add your Help Desk group as the HELPERS group that is allowed to OFFER remote assistance: Computer config\admin templates\system\remote assistance And specify that they are allowed to remotely control the system. That's all you need to do. Now, when a user calls, the help desk says hold on, launches an RA session to the user's desktop. The ONLY potential difference from VNC is that the user will get a little notice that says Dan is wanting to offer remote assistance and will have to click OK. At that point the helper can view, no problem. There is a second confirmation box IF the helper actually launches control. But believe me, the messages are clear enough and the help desk is on the phone anyway, right? So it's not tough to figure out! It beats having a third party app doing the same thing! One less thing to manage (and RA, as part of XP and GPO infrastructure is EASIER to manage), and one less thing to have to keep up with patches on. DETAILS You cannot shadow a ts connection to xp. Remember how it works on a server... the user is ts'd to the server; the support person has a SEPARATE ts to the server and jumps in to the user's ts. It requires multiple TS connections and XP doesn't support that. The ONLY 'shadow' to a THICK client is RA. If XP is TS'd into a TS, then you can shadow that TS connection (as described above). I am working with a high profile client right now and we just 'banished' VNC on XP systems. We found its admin logon encryption lacking, in the version we were using, and, more importantly, it just wasn't necessary. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, July 14, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance thanks alot, rick and dan. can you shadow a ts connection to xp like on server? as to the user giving me control, i thought that was just a policy that could be configured, NOT hardwired into the os somehow. I thought if i was a DA and by default then a local admin on the box, when i RA in, i could over rule that setting somehow since i am in actuallity a admin of the box. I only ask because we use VNC here for some help desk stuuf and i wanted to replace it with RA since we are mostly xp on the client but i'm araid with this asking for help stuff and allowing access, my users would get confused awfully quick. they don't adapt well to change. usually, someone here calls them and then says ok, i'm gonna connect to your machine or they might be away and a help desk admin connects to their box. RA doesn't seem to make this as simple as vnc does, i guess. I still wonder how as an admin you can be denied RA access to a box or need permission. is it a local system thing? thanks for all your help and sorry to bore you with my issues. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thursday, July 14, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote Desktop vs. Remote assistance With Remote Desktop, you are going to take over the machine (in the case of XP) kicking off any logged on person in the act of taking over the machine. Your access is the same as the credentials in which you login as. With Remote Access, you need to receive an invitation and the user is not kicked off. Both of you will see what is on the screen
Re: [ActiveDir] Remote Desktop functionality on Windows 2003
computer configuration, Administrative templates, Windows Components, terminal services. Enable allow users to connect remotely using terminal services Nathan Casey Network Analyst WGS-ISD County of Sonoma [EMAIL PROTECTED] (707) 565-3519 [EMAIL PROTECTED] 01/25/05 10:46 PM Hi all from sunny South Africa Does anyone know if it's possible to turn on Remote Desktop for Windows 2003 by GPO? We are rolling out a whole lot of W2K3 servers and always seem to forget to turn on this feature :-) ;( Regards Peter Johnson List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] remote desktop sharing tool
If you like VNC, I would suggest you look at TightVNC. Regular VNC is a resource hog, TightVNC is much more efficient... Tyson. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Boghici Sent: Saturday, December 18, 2004 4:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remote desktop sharing tool Thank you all guys. I'll use vnc, I just tested one server and 5 clients in my LAN and is beautiful. Best regards. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, December 19, 2004 1:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remote desktop sharing tool NetOp would be my recommendation. We have it in all the labs here. It has a learning curve for the operator, but, once you know what you're doing, it is a very powerful tool. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Chris Lynch Sent: Saturday, December 18, 2004 2:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remote desktop sharing tool -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You can use other 3rd party tools, like WebEx, to create a conference. You could also use something like NetOp Remote Control. You could also use VNC. If you were thinking of Terminal Services, Terminal Services currently does not support that type of functionality. Maybe when Longhorn is released. Only the ICA protocol (Citrix MetaFrame) supports that. Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Boghici Sent: Saturday, December 18, 2004 9:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remote desktop sharing tool Hi Is there any tool that can give me the possibility to give other domain users to access my screen and in the same time to edit (my and every body else that I give access) the documents that I am working on. It is very helpful for projects and training sessions. May be if there is not such tool for the domain users one could be for the same scenario but everybody to log with the same user and password ( more connections). Best regards, Dan -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 Comment: Public PGP Key for Chris Lynch iQA/AwUBQcSQkm9fg+xq5T3MEQKYrQCg1CTQIY7hPeyH310Y0C7lDm9r+K4AoKq+ W1x8bYWwsQ3/cK0OXJCWs+Lv =yyLD -END PGP SIGNATURE- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] remote desktop sharing tool
UltraVNC has just been released - I've been using it over the past few weeks ... And highly recommend it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tyson Leslie Sent: Tuesday, December 21, 2004 9:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remote desktop sharing tool If you like VNC, I would suggest you look at TightVNC. Regular VNC is a resource hog, TightVNC is much more efficient... Tyson. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Boghici Sent: Saturday, December 18, 2004 4:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remote desktop sharing tool Thank you all guys. I'll use vnc, I just tested one server and 5 clients in my LAN and is beautiful. Best regards. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, December 19, 2004 1:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remote desktop sharing tool NetOp would be my recommendation. We have it in all the labs here. It has a learning curve for the operator, but, once you know what you're doing, it is a very powerful tool. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Chris Lynch Sent: Saturday, December 18, 2004 2:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remote desktop sharing tool -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You can use other 3rd party tools, like WebEx, to create a conference. You could also use something like NetOp Remote Control. You could also use VNC. If you were thinking of Terminal Services, Terminal Services currently does not support that type of functionality. Maybe when Longhorn is released. Only the ICA protocol (Citrix MetaFrame) supports that. Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Boghici Sent: Saturday, December 18, 2004 9:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remote desktop sharing tool Hi Is there any tool that can give me the possibility to give other domain users to access my screen and in the same time to edit (my and every body else that I give access) the documents that I am working on. It is very helpful for projects and training sessions. May be if there is not such tool for the domain users one could be for the same scenario but everybody to log with the same user and password ( more connections). Best regards, Dan -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 Comment: Public PGP Key for Chris Lynch iQA/AwUBQcSQkm9fg+xq5T3MEQKYrQCg1CTQIY7hPeyH310Y0C7lDm9r+K4AoKq+ W1x8bYWwsQ3/cK0OXJCWs+Lv =yyLD -END PGP SIGNATURE- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] remote desktop sharing tool
You can, if you want another lower tek (and potentially cheaper than webex) solution, Use netmeeting with desktop sharing to achieve your goals. Of course that presents a whole slew of other network issues, firewalls, etc, but that's the same story all acorss the board. Shadow -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Caple, Andrew Sent: Monday, December 20, 2004 2:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remote desktop sharing tool UltraVNC has just been released - I've been using it over the past few weeks ... And highly recommend it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tyson Leslie Sent: Tuesday, December 21, 2004 9:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remote desktop sharing tool If you like VNC, I would suggest you look at TightVNC. Regular VNC is a resource hog, TightVNC is much more efficient... Tyson. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Boghici Sent: Saturday, December 18, 2004 4:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remote desktop sharing tool Thank you all guys. I'll use vnc, I just tested one server and 5 clients in my LAN and is beautiful. Best regards. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, December 19, 2004 1:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remote desktop sharing tool NetOp would be my recommendation. We have it in all the labs here. It has a learning curve for the operator, but, once you know what you're doing, it is a very powerful tool. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Chris Lynch Sent: Saturday, December 18, 2004 2:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remote desktop sharing tool -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You can use other 3rd party tools, like WebEx, to create a conference. You could also use something like NetOp Remote Control. You could also use VNC. If you were thinking of Terminal Services, Terminal Services currently does not support that type of functionality. Maybe when Longhorn is released. Only the ICA protocol (Citrix MetaFrame) supports that. Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Boghici Sent: Saturday, December 18, 2004 9:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remote desktop sharing tool Hi Is there any tool that can give me the possibility to give other domain users to access my screen and in the same time to edit (my and every body else that I give access) the documents that I am working on. It is very helpful for projects and training sessions. May be if there is not such tool for the domain users one could be for the same scenario but everybody to log with the same user and password ( more connections). Best regards, Dan -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 Comment: Public PGP Key for Chris Lynch iQA/AwUBQcSQkm9fg+xq5T3MEQKYrQCg1CTQIY7hPeyH310Y0C7lDm9r+K4AoKq+ W1x8bYWwsQ3/cK0OXJCWs+Lv =yyLD -END PGP SIGNATURE- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] remote desktop sharing tool
You could also create a Helprequest right out of theHelp and Support Centerif you have Windows XP and Remote Support is enabled. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps":http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner WebSite: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan BoghiciSent: Saturday, December 18, 2004 6:35 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] remote desktop sharing tool Hi Is there any tool that can give me the possibility to give other domain users to access my screen and in the same time to edit (my and every body else that I give access) the documents that I am working on. It is very helpful for projects and training sessions. May be if there is not such tool for the domain users one could be for the same scenario but everybody to log with the same user and password ( more connections). Best regards, Dan
RE: [ActiveDir] remote desktop sharing tool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You can use other 3rd party tools, like WebEx, to create a conference. You could also use something like NetOp Remote Control. You could also use VNC. If you were thinking of Terminal Services, Terminal Services currently does not support that type of functionality. Maybe when Longhorn is released. Only the ICA protocol (Citrix MetaFrame) supports that. Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Boghici Sent: Saturday, December 18, 2004 9:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] remote desktop sharing tool Hi Is there any tool that can give me the possibility to give other domain users to access my screen and in the same time to edit (my and every body else that I give access) the documents that I am working on. It is very helpful for projects and training sessions. May be if there is not such tool for the domain users one could be for the same scenario but everybody to log with the same user and password ( more connections). Best regards, Dan -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 Comment: Public PGP Key for Chris Lynch iQA/AwUBQcSQkm9fg+xq5T3MEQKYrQCg1CTQIY7hPeyH310Y0C7lDm9r+K4AoKq+ W1x8bYWwsQ3/cK0OXJCWs+Lv =yyLD -END PGP SIGNATURE- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] remote desktop sharing tool
NetOp would be my recommendation. We have it in all the labs here. It has a learning curve for the operator, but, once you know what you're doing, it is a very powerful tool. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Chris Lynch Sent: Saturday, December 18, 2004 2:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] remote desktop sharing tool -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You can use other 3rd party tools, like WebEx, to create a conference. You could also use something like NetOp Remote Control. You could also use VNC. If you were thinking of Terminal Services, Terminal Services currently does not support that type of functionality. Maybe when Longhorn is released. Only the ICA protocol (Citrix MetaFrame) supports that. Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Boghici Sent: Saturday, December 18, 2004 9:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] remote desktop sharing tool Hi Is there any tool that can give me the possibility to give other domain users to access my screen and in the same time to edit (my and every body else that I give access) the documents that I am working on. It is very helpful for projects and training sessions. May be if there is not such tool for the domain users one could be for the same scenario but everybody to log with the same user and password ( more connections). Best regards, Dan -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 Comment: Public PGP Key for Chris Lynch iQA/AwUBQcSQkm9fg+xq5T3MEQKYrQCg1CTQIY7hPeyH310Y0C7lDm9r+K4AoKq+ W1x8bYWwsQ3/cK0OXJCWs+Lv =yyLD -END PGP SIGNATURE- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] remote desktop sharing tool
Thank you all guys. I'll use vnc, I just tested one server and 5 clients in my LAN and is beautiful. Best regards. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, December 19, 2004 1:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] remote desktop sharing tool NetOp would be my recommendation. We have it in all the labs here. It has a learning curve for the operator, but, once you know what you're doing, it is a very powerful tool. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Chris Lynch Sent: Saturday, December 18, 2004 2:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] remote desktop sharing tool -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You can use other 3rd party tools, like WebEx, to create a conference. You could also use something like NetOp Remote Control. You could also use VNC. If you were thinking of Terminal Services, Terminal Services currently does not support that type of functionality. Maybe when Longhorn is released. Only the ICA protocol (Citrix MetaFrame) supports that. Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Boghici Sent: Saturday, December 18, 2004 9:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] remote desktop sharing tool Hi Is there any tool that can give me the possibility to give other domain users to access my screen and in the same time to edit (my and every body else that I give access) the documents that I am working on. It is very helpful for projects and training sessions. May be if there is not such tool for the domain users one could be for the same scenario but everybody to log with the same user and password ( more connections). Best regards, Dan -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 Comment: Public PGP Key for Chris Lynch iQA/AwUBQcSQkm9fg+xq5T3MEQKYrQCg1CTQIY7hPeyH310Y0C7lDm9r+K4AoKq+ W1x8bYWwsQ3/cK0OXJCWs+Lv =yyLD -END PGP SIGNATURE- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote Desktop Issue
Joe - Re your DEC writeup, I grabbed an extra copy of Stuart's survey to show the folks back home, so if you want the complete thing I've got it - I don't know if anybody would be opposed to my posting it here or not... (Stuart ? Gil ? Anyone?) It was good to meet you and your manager at DEC - as I told you there, I appreciate your 'rants' on this list and always learn something. Oh and by the way...I have one of the last of Gil's rubber chickens, bestowed upon me at DEC 2003 in Scottsdale...it's hanging right here in my cube (rub, rub, rub) Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Sunday, March 28, 2004 8:07 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote Desktop Issue Ok that does seem weird. I am going to try and forget I read that as it doesn't agree with my world view... eg [1] No problem on the DEC writeup, I hope Gil wakes up and comes on here and does a more detailed (corrected) write up. As for the rubber chicken... how come everyone has to rub that in... :o) [1] That of course is a joke. If I didn't remember the silly things like that my Windows knowledge would be only about 80% of what it is as those weird things are worth remembering because you never know when you can apply it to some other problem and it will solve that too. An example was a problem where the logon process was giving workstations an FQDN for the logon script and the clients were chopping that down to a single host name and using WINS to do the resolution. Well in our environment only data center DCs are listed inall WINSservers so when a client decided to choose a remote WAN DC it never got logon scripts... Well when we were playing with something in Exchange trying to install something or another we ran into a problem and that client issue seemed to be very similar so we did a network trace and voila, sure enough... The exchange server was given an FQDN and was chopping it down to a short host name and not able to resolve it that way... Actually I just recently saw that MS put out a KB Article on Exchange 2000's need for WINS... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel GilbertSent: Saturday, March 27, 2004 11:39 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote Desktop Issue Nothing appeared in the event logs. I was able to clear up the problem. Do know why this worked but here is what I did: Added the new Enterprise Admin to the Remote Desktop tab in SYSTEM properties. Let him log in successfully, had him log off, removed him from Remote Desktop tab, had him log in again. I know, everyone is saying, Wait a minute! If the Remote Desktop tab is empty then Administrators can log in by default Yep, I totally agree. Dont understand why this worked but it did. BTW Joe, great write up on DEC. I was supposed to attend but we started a big Windows 2003 migration and I happen to have the last Rubber Chicken Gil ever gave out at a DEC, got it in Ottawa. DAn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, March 27, 2004 7:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote Desktop Issue That almost sounds likea disk space or permissions issue... I.E. it is trying to create the local profile, failing, and blowing the user off. Anything in the event logs? joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel L. GilbertSent: Friday, March 26, 2004 12:48 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote Desktop Issue No error message. He gets the logon prompt, logs on, the screen flashes applying settings then the terminal session screen closes out. Really weird. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim HinesSent: Thursday, March 25, 2004 12:35 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Remote Desktop Issue What error does he get when trying to connect using a terminal session? - Original Message - From: Gilbert, Daniel L Mr ANOSC/FCBS To: ActiveDir ([EMAIL PROTECTED]) Sent: Thursday, March 25, 2004 1:58 PM Subject: [ActiveDir] Remote Desktop Issue To All: I have a Remote Desktop issue that is driving me nuts. Servers are Windows Server 2003. I have a root domain spread across to two different sites, both
RE: [ActiveDir] Remote Desktop Issue
Doesn't local "Administrators" by default include "Domain Admins" but not "Enterprise Admins"? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Daniel GilbertSent: Saturday, March 27, 2004 11:39 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote Desktop Issue Nothing appeared in the event logs. I was able to clear up the problem. Do know why this worked but here is what I did: Added the new Enterprise Admin to the Remote Desktop tab in SYSTEM properties. Let him log in successfully, had him log off, removed him from Remote Desktop tab, had him log in again. I know, everyone is saying, Wait a minute! If the Remote Desktop tab is empty then Administrators can log in by default Yep, I totally agree. Dont understand why this worked but it did. BTW Joe, great write up on DEC. I was supposed to attend but we started a big Windows 2003 migration and I happen to have the last Rubber Chicken Gil ever gave out at a DEC, got it in Ottawa. DAn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, March 27, 2004 7:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote Desktop Issue That almost sounds likea disk space or permissions issue... I.E. it is trying to create the local profile, failing, and blowing the user off. Anything in the event logs? joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel L. GilbertSent: Friday, March 26, 2004 12:48 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote Desktop Issue No error message. He gets the logon prompt, logs on, the screen flashes applying settings then the terminal session screen closes out. Really weird. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim HinesSent: Thursday, March 25, 2004 12:35 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Remote Desktop Issue What error does he get when trying to connect using a terminal session? - Original Message - From: Gilbert, Daniel L Mr ANOSC/FCBS To: ActiveDir ([EMAIL PROTECTED]) Sent: Thursday, March 25, 2004 1:58 PM Subject: [ActiveDir] Remote Desktop Issue To All: I have a Remote Desktop issue that is driving me nuts. Servers are Windows Server 2003. I have a root domain spread across to two different sites, both physically (East Coast and West Coast) and AD wise (AD East and AD West). My two Enterprise Admins are members of a child domain (Child1) and through security group membership; they are placed into the Enterprise Admins security group in the root domain. This structure has worked fine for the last year. One of the Enterprise Admins has moved on to a bigger and better job and I promoted one of my Senior Admins to become a new Enterprise Admin. Now the fun part begins. The new Enterprise Admin can log on locally to the root DCs in the physical site West Coast (the bulk of the root is here) from either the keyboard or via Remote Desktop. The new Enterprise Admin can log on locally to the root DCs in the physical site East Coast (our COOP site) from the keyboard but he can not log in via Remote Desktop. I am sure his account has replicated from West Coast to East Coast because he can log on from the keyboard and I have waited long enough for replication to occur. I checked the permissions on the RDP connection but it still at default. Any ideas where I can go for a clue? My head is getting squishy from beating it against the wall. Daniel L. Gilbert, Contractor SeniorActive DirectorySpecialist CONUS Theater Network Operations and Security Center (CONUS-TNOSC) (520) 533-6700 DSN: 821-6700 [EMAIL PROTECTED]
RE: [ActiveDir] Remote Desktop Issue
That almost sounds likea disk space or permissions issue... I.E. it is trying to create the local profile, failing, and blowing the user off. Anything in the event logs? joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel L. GilbertSent: Friday, March 26, 2004 12:48 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote Desktop Issue No error message. He gets the logon prompt, logs on, the screen flashes applying settings then the terminal session screen closes out. Really weird. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim HinesSent: Thursday, March 25, 2004 12:35 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Remote Desktop Issue What error does he get when trying to connect using a terminal session? - Original Message - From: Gilbert, Daniel L Mr ANOSC/FCBS To: ActiveDir ([EMAIL PROTECTED]) Sent: Thursday, March 25, 2004 1:58 PM Subject: [ActiveDir] Remote Desktop Issue To All: I have a Remote Desktop issue that is driving me nuts. Servers are Windows Server 2003. I have a root domain spread across to two different sites, both physically (East Coast and West Coast) and AD wise (AD East and AD West). My two Enterprise Admins are members of a child domain (Child1) and through security group membership; they are placed into the Enterprise Admins security group in the root domain. This structure has worked fine for the last year. One of the Enterprise Admins has moved on to a bigger and better job and I promoted one of my Senior Admins to become a new Enterprise Admin. Now the fun part begins. The new Enterprise Admin can log on locally to the root DCs in the physical site West Coast (the bulk of the root is here) from either the keyboard or via Remote Desktop. The new Enterprise Admin can log on locally to the root DCs in the physical site East Coast (our COOP site) from the keyboard but he can not log in via Remote Desktop. I am sure his account has replicated from West Coast to East Coast because he can log on from the keyboard and I have waited long enough for replication to occur. I checked the permissions on the RDP connection but it still at default. Any ideas where I can go for a clue? My head is getting squishy from beating it against the wall. Daniel L. Gilbert, Contractor SeniorActive DirectorySpecialist CONUS Theater Network Operations and Security Center (CONUS-TNOSC) (520) 533-6700 DSN: 821-6700 [EMAIL PROTECTED]
RE: [ActiveDir] Remote Desktop Issue
Nothing appeared in the event logs. I was able to clear up the problem. Do know why this worked but here is what I did: Added the new Enterprise Admin to the Remote Desktop tab in SYSTEM properties. Let him log in successfully, had him log off, removed him from Remote Desktop tab, had him log in again. I know, everyone is saying, Wait a minute! If the Remote Desktop tab is empty then Administrators can log in by default Yep, I totally agree. Dont understand why this worked but it did. BTW Joe, great write up on DEC. I was supposed to attend but we started a big Windows 2003 migration and I happen to have the last Rubber Chicken Gil ever gave out at a DEC, got it in Ottawa. DAn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, March 27, 2004 7:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop Issue That almost sounds likea disk space or permissions issue... I.E. it is trying to create the local profile, failing, and blowing the user off. Anything in the event logs? joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel L. Gilbert Sent: Friday, March 26, 2004 12:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop Issue No error message. He gets the logon prompt, logs on, the screen flashes applying settings then the terminal session screen closes out. Really weird. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Hines Sent: Thursday, March 25, 2004 12:35 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Remote Desktop Issue What error does he get when trying to connect using a terminal session? - Original Message - From: Gilbert, Daniel L Mr ANOSC/FCBS To: ActiveDir ([EMAIL PROTECTED]) Sent: Thursday, March 25, 2004 1:58 PM Subject: [ActiveDir] Remote Desktop Issue To All: I have a Remote Desktop issue that is driving me nuts. Servers are Windows Server 2003. I have a root domain spread across to two different sites, both physically (East Coast and West Coast) and AD wise (AD East and AD West). My two Enterprise Admins are members of a child domain (Child1) and through security group membership; they are placed into the Enterprise Admins security group in the root domain. This structure has worked fine for the last year. One of the Enterprise Admins has moved on to a bigger and better job and I promoted one of my Senior Admins to become a new Enterprise Admin. Now the fun part begins. The new Enterprise Admin can log on locally to the root DCs in the physical site West Coast (the bulk of the root is here) from either the keyboard or via Remote Desktop. The new Enterprise Admin can log on locally to the root DCs in the physical site East Coast (our COOP site) from the keyboard but he can not log in via Remote Desktop. I am sure his account has replicated from West Coast to East Coast because he can log on from the keyboard and I have waited long enough for replication to occur. I checked the permissions on the RDP connection but it still at default. Any ideas where I can go for a clue? My head is getting squishy from beating it against the wall. Daniel L. Gilbert, Contractor SeniorActive DirectorySpecialist CONUS Theater Network Operations and Security Center (CONUS-TNOSC) (520) 533-6700 DSN: 821-6700 [EMAIL PROTECTED]
RE: [ActiveDir] Remote Desktop
i have a question here: unless something has changed, domain admins should be populated in the local administrators group when you join the domain...so, by default they should have remote access rights. there are ways to block this with policy, and the most obvious one would be to use restricted groups on the local administrators group, without putting in domain admins. that could be pretty dangerous, although, a custom global group could be populated in there for the rights. but if everything is on the defaults, it should just be working on its own. what am i missing here? thanks |-+-- | | Seyboldt, Volker | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/24/2004 02:29 PM| | | Please respond to | | | ActiveDir | | | | |-+-- | | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] Remote Desktop | | yes you can You can use restricted groups in group policies to add any group you want to the local Remote Desktop Users at each PC. Members (Users and/or groups) of the PC's local ADministrator group are also automatically allowed to connect remotly From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Wednesday, March 24, 2004 9:16 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Remote Desktop Is there a way to add Domain Admins to the Remote Users of every pc in our Domain with AD and not go to every PC? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote Desktop
I thought that was the case Domain Admins have access to Remote Desktop by default. But how do you activate it via AD. If the Allow users to connect remotely to this computer is not checked this is useless. Lynden -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 9:17 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop i have a question here: unless something has changed, domain admins should be populated in the local administrators group when you join the domain...so, by default they should have remote access rights. there are ways to block this with policy, and the most obvious one would be to use restricted groups on the local administrators group, without putting in domain admins. that could be pretty dangerous, although, a custom global group could be populated in there for the rights. but if everything is on the defaults, it should just be working on its own. what am i missing here? thanks |-+-- | | Seyboldt, Volker | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/24/2004 02:29 PM| | | Please respond to | | | ActiveDir | | | | |-+-- --- -| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] Remote Desktop | --- -| yes you can You can use restricted groups in group policies to add any group you want to the local Remote Desktop Users at each PC. Members (Users and/or groups) of the PC's local ADministrator group are also automatically allowed to connect remotly From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Wednesday, March 24, 2004 9:16 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Remote Desktop Is there a way to add Domain Admins to the Remote Users of every pc in our Domain with AD and not go to every PC? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message in not the intended recipient or the employer or agent responsible for delivering the message to the recipient, you are hereby notified that dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email or telephone, and delete this message and all of its attachments.
RE: [ActiveDir] Remote Desktop
I tried this last night on my test machine and the domain admins are automatically populated in the local admin group -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 15:17 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop i have a question here: unless something has changed, domain admins should be populated in the local administrators group when you join the domain...so, by default they should have remote access rights. there are ways to block this with policy, and the most obvious one would be to use restricted groups on the local administrators group, without putting in domain admins. that could be pretty dangerous, although, a custom global group could be populated in there for the rights. but if everything is on the defaults, it should just be working on its own. what am i missing here? thanks |-+-- | | Seyboldt, Volker | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/24/2004 02:29 PM| | | Please respond to | | | ActiveDir | | | | |-+-- --- -| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] Remote Desktop | --- -| yes you can You can use restricted groups in group policies to add any group you want to the local Remote Desktop Users at each PC. Members (Users and/or groups) of the PC's local ADministrator group are also automatically allowed to connect remotly From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Wednesday, March 24, 2004 9:16 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Remote Desktop Is there a way to add Domain Admins to the Remote Users of every pc in our Domain with AD and not go to every PC? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote Desktop
You can use this custom ADM to enable that little check box. I can't claim credit for it however. It was posted by a guy named Joe Elway from Ireland on the GPO forum I moderate. Pretty useful. ;;; CLASS MACHINE ;; ;;; CATEGORY Custom CATEGORY Remote Control POLICY Enable Remtoe Control #if version = 4 SUPPORTED XP and W2003 #endif KEYNAME SYSTEM\CurrentControlSet\Control\Terminal Server EXPLAIN Enable Remote Control VALUENAME fDenyTSConnections VALUEON NUMERIC 0 VALUEOFF NUMERIC 1 END POLICY END CATEGORY ; Custom END CATEGORY ; Remote Control -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Thursday, March 25, 2004 7:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Remote Desktop I thought that was the case Domain Admins have access to Remote Desktop by default. But how do you activate it via AD. If the Allow users to connect remotely to this computer is not checked this is useless. Lynden -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 9:17 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop i have a question here: unless something has changed, domain admins should be populated in the local administrators group when you join the domain...so, by default they should have remote access rights. there are ways to block this with policy, and the most obvious one would be to use restricted groups on the local administrators group, without putting in domain admins. that could be pretty dangerous, although, a custom global group could be populated in there for the rights. but if everything is on the defaults, it should just be working on its own. what am i missing here? thanks |-+-- | | Seyboldt, Volker | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/24/2004 02:29 PM| | | Please respond to | | | ActiveDir | | | | |-+-- --- -| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] Remote Desktop | --- -| yes you can You can use restricted groups in group policies to add any group you want to the local Remote Desktop Users at each PC. Members (Users and/or groups) of the PC's local ADministrator group are also automatically allowed to connect remotly From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Wednesday, March 24, 2004 9:16 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Remote Desktop Is there a way to add Domain Admins to the Remote Users of every pc in our Domain with AD and not go to every PC? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote Desktop
well, at least on my xp box setting a gpo on my test ou computer configuration/administrative templates/windows components/terminal services/allow users to connect remotely using terminal services...setting this to enabled, checks the box, and greys it out imho, much better to use the built in fucntions than a custom adm file, much easier to reverse. |-+-- | | Darren Mar-Elia | | | [EMAIL PROTECTED]| | | om| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/25/2004 10:50 AM| | | Please respond to | | | ActiveDir | | | | |-+-- --| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] Remote Desktop | --| You can use this custom ADM to enable that little check box. I can't claim credit for it however. It was posted by a guy named Joe Elway from Ireland on the GPO forum I moderate. Pretty useful. ;;; CLASS MACHINE ;; ;;; CATEGORY Custom CATEGORY Remote Control POLICY Enable Remtoe Control #if version = 4 SUPPORTED XP and W2003 #endif KEYNAME SYSTEM\CurrentControlSet\Control\Terminal Server EXPLAIN Enable Remote Control VALUENAME fDenyTSConnections VALUEON NUMERIC 0 VALUEOFF NUMERIC 1 END POLICY END CATEGORY ; Custom END CATEGORY ; Remote Control -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Thursday, March 25, 2004 7:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Remote Desktop I thought that was the case Domain Admins have access to Remote Desktop by default. But how do you activate it via AD. If the Allow users to connect remotely to this computer is not checked this is useless. Lynden -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 9:17 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop i have a question here: unless something has changed, domain admins should be populated in the local administrators group when you join the domain...so, by default they should have remote access rights. there are ways to block this with policy, and the most obvious one would be to use restricted groups on the local administrators group, without putting in domain admins. that could be pretty dangerous, although, a custom global group could be populated in there for the rights. but if everything is on the defaults, it should just be working on its own. what am i missing here? thanks |-+-- | | Seyboldt, Volker | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/24/2004 02:29 PM| | | Please respond to | | | ActiveDir | | | | |-+-- --- -| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] Remote Desktop | --- -| yes you can You can use restricted groups in group policies to add any group you want to the local Remote Desktop Users at each PC. Members (Users and/or groups) of the PC's local ADministrator group are also automatically allowed to connect remotly From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent
RE: [ActiveDir] Remote Desktop
Yea, that works too :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 9:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop well, at least on my xp box setting a gpo on my test ou computer configuration/administrative templates/windows components/terminal services/allow users to connect remotely using terminal services...setting this to enabled, checks the box, and greys it out imho, much better to use the built in fucntions than a custom adm file, much easier to reverse. |-+-- | | Darren Mar-Elia | | | [EMAIL PROTECTED]| | | om| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/25/2004 10:50 AM| | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] Remote Desktop | --- ---| You can use this custom ADM to enable that little check box. I can't claim credit for it however. It was posted by a guy named Joe Elway from Ireland on the GPO forum I moderate. Pretty useful. ;;; CLASS MACHINE ;; ;;; CATEGORY Custom CATEGORY Remote Control POLICY Enable Remtoe Control #if version = 4 SUPPORTED XP and W2003 #endif KEYNAME SYSTEM\CurrentControlSet\Control\Terminal Server EXPLAIN Enable Remote Control VALUENAME fDenyTSConnections VALUEON NUMERIC 0 VALUEOFF NUMERIC 1 END POLICY END CATEGORY ; Custom END CATEGORY ; Remote Control -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Thursday, March 25, 2004 7:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Remote Desktop I thought that was the case Domain Admins have access to Remote Desktop by default. But how do you activate it via AD. If the Allow users to connect remotely to this computer is not checked this is useless. Lynden -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 9:17 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop i have a question here: unless something has changed, domain admins should be populated in the local administrators group when you join the domain...so, by default they should have remote access rights. there are ways to block this with policy, and the most obvious one would be to use restricted groups on the local administrators group, without putting in domain admins. that could be pretty dangerous, although, a custom global group could be populated in there for the rights. but if everything is on the defaults, it should just be working on its own. what am i missing here? thanks |-+-- | | Seyboldt, Volker | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/24/2004 02:29 PM| | | Please respond to | | | ActiveDir | | | | |-+-- --- -| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] Remote Desktop | --- -| yes you can You can use restricted groups in group policies to add any group you want to the local Remote Desktop Users at each PC. Members (Users and/or groups) of the PC's local ADministrator group are also automatically allowed to connect remotly From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Wednesday, March 24, 2004 9:16 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Remote Desktop Is there a way to add Domain Admins
Re: [ActiveDir] Remote Desktop Issue
What error does he get when trying to connect using a terminal session? - Original Message - From: Gilbert, Daniel L Mr ANOSC/FCBS To: ActiveDir ([EMAIL PROTECTED]) Sent: Thursday, March 25, 2004 1:58 PM Subject: [ActiveDir] Remote Desktop Issue To All: I have a Remote Desktop issue that is driving me nuts. Servers are Windows Server 2003. I have a root domain spread across to two different sites, both physically (East Coast and West Coast) and AD wise (AD East and AD West). My two Enterprise Admins are members of a child domain (Child1) and through security group membership; they are placed into the Enterprise Admins security group in the root domain. This structure has worked fine for the last year. One of the Enterprise Admins has moved on to a bigger and better job and I promoted one of my Senior Admins to become a new Enterprise Admin. Now the fun part begins. The new Enterprise Admin can log on locally to the root DCs in the physical site West Coast (the bulk of the root is here) from either the keyboard or via Remote Desktop. The new Enterprise Admin can log on locally to the root DCs in the physical site East Coast (our COOP site) from the keyboard but he can not log in via Remote Desktop. I am sure his account has replicated from West Coast to East Coast because he can log on from the keyboard and I have waited long enough for replication to occur. I checked the permissions on the RDP connection but it still at default. Any ideas where I can go for a clue? My head is getting squishy from beating it against the wall. Daniel L. Gilbert, Contractor SeniorActive DirectorySpecialist CONUS Theater Network Operations and Security Center (CONUS-TNOSC) (520) 533-6700 DSN: 821-6700 [EMAIL PROTECTED]
RE: [ActiveDir] Remote Desktop
I don't have terminal services. How can I get an up-to-date adm Lynden -Original Message- From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 1:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop Yea, that works too :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 9:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop well, at least on my xp box setting a gpo on my test ou computer configuration/administrative templates/windows components/terminal services/allow users to connect remotely using terminal services...setting this to enabled, checks the box, and greys it out imho, much better to use the built in fucntions than a custom adm file, much easier to reverse. |-+-- | | Darren Mar-Elia | | | [EMAIL PROTECTED]| | | om| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/25/2004 10:50 AM| | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] Remote Desktop | --- ---| You can use this custom ADM to enable that little check box. I can't claim credit for it however. It was posted by a guy named Joe Elway from Ireland on the GPO forum I moderate. Pretty useful. ;;; CLASS MACHINE ;; ;;; CATEGORY Custom CATEGORY Remote Control POLICY Enable Remtoe Control #if version = 4 SUPPORTED XP and W2003 #endif KEYNAME SYSTEM\CurrentControlSet\Control\Terminal Server EXPLAIN Enable Remote Control VALUENAME fDenyTSConnections VALUEON NUMERIC 0 VALUEOFF NUMERIC 1 END POLICY END CATEGORY ; Custom END CATEGORY ; Remote Control -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Thursday, March 25, 2004 7:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Remote Desktop I thought that was the case Domain Admins have access to Remote Desktop by default. But how do you activate it via AD. If the Allow users to connect remotely to this computer is not checked this is useless. Lynden -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 9:17 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop i have a question here: unless something has changed, domain admins should be populated in the local administrators group when you join the domain...so, by default they should have remote access rights. there are ways to block this with policy, and the most obvious one would be to use restricted groups on the local administrators group, without putting in domain admins. that could be pretty dangerous, although, a custom global group could be populated in there for the rights. but if everything is on the defaults, it should just be working on its own. what am i missing here? thanks |-+-- | | Seyboldt, Volker | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/24/2004 02:29 PM| | | Please respond to | | | ActiveDir | | | | |-+-- --- -| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] Remote Desktop | --- -| yes you can You can use restricted groups in group policies to add any group you want to the local Remote Desktop Users at each PC. Members (Users and/or groups) of the PC's local ADministrator group are also automatically allowed to connect remotly
RE: [ActiveDir] Remote Desktop
it must be the default xp templates...if you create the policy from an xp box, it should use them.. |-+-- | | Philadelphia, Lynden -| | | Revios Toronto| | | [EMAIL PROTECTED]| | | vios.us | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/25/2004 01:46 PM| | | Please respond to | | | ActiveDir | | | | |-+-- --| | | | To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] Remote Desktop | --| I don't have terminal services. How can I get an up-to-date adm Lynden -Original Message- From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 1:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop Yea, that works too :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 9:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop well, at least on my xp box setting a gpo on my test ou computer configuration/administrative templates/windows components/terminal services/allow users to connect remotely using terminal services...setting this to enabled, checks the box, and greys it out imho, much better to use the built in fucntions than a custom adm file, much easier to reverse. |-+-- | | Darren Mar-Elia | | | [EMAIL PROTECTED]| | | om| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/25/2004 10:50 AM| | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] Remote Desktop | --- ---| You can use this custom ADM to enable that little check box. I can't claim credit for it however. It was posted by a guy named Joe Elway from Ireland on the GPO forum I moderate. Pretty useful. ;;; CLASS MACHINE ;; ;;; CATEGORY Custom CATEGORY Remote Control POLICY Enable Remtoe Control #if version = 4 SUPPORTED XP and W2003 #endif KEYNAME SYSTEM\CurrentControlSet\Control\Terminal Server EXPLAIN Enable Remote Control VALUENAME fDenyTSConnections VALUEON NUMERIC 0 VALUEOFF NUMERIC 1 END POLICY END CATEGORY ; Custom END CATEGORY ; Remote Control -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Thursday, March 25, 2004 7:41 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Remote Desktop I thought that was the case Domain Admins have access to Remote Desktop by default. But how do you activate it via AD. If the Allow users to connect remotely to this computer is not checked this is useless. Lynden -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 9:17 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop i have a question here: unless something has changed, domain admins should be populated in the local administrators group when you join the domain...so, by default they should have remote access rights. there are ways to block this with policy, and the most obvious one would be to use restricted groups on the local administrators
RE: [ActiveDir] Remote Desktop Issue
No error message. He gets the logon prompt, logs on, the screen flashes applying settings then the terminal session screen closes out. Really weird. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Hines Sent: Thursday, March 25, 2004 12:35 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Remote Desktop Issue What error does he get when trying to connect using a terminal session? - Original Message - From: Gilbert, Daniel L Mr ANOSC/FCBS To: ActiveDir ([EMAIL PROTECTED]) Sent: Thursday, March 25, 2004 1:58 PM Subject: [ActiveDir] Remote Desktop Issue To All: I have a Remote Desktop issue that is driving me nuts. Servers are Windows Server 2003. I have a root domain spread across to two different sites, both physically (East Coast and West Coast) and AD wise (AD East and AD West). My two Enterprise Admins are members of a child domain (Child1) and through security group membership; they are placed into the Enterprise Admins security group in the root domain. This structure has worked fine for the last year. One of the Enterprise Admins has moved on to a bigger and better job and I promoted one of my Senior Admins to become a new Enterprise Admin. Now the fun part begins. The new Enterprise Admin can log on locally to the root DCs in the physical site West Coast (the bulk of the root is here) from either the keyboard or via Remote Desktop. The new Enterprise Admin can log on locally to the root DCs in the physical site East Coast (our COOP site) from the keyboard but he can not log in via Remote Desktop. I am sure his account has replicated from West Coast to East Coast because he can log on from the keyboard and I have waited long enough for replication to occur. I checked the permissions on the RDP connection but it still at default. Any ideas where I can go for a clue? My head is getting squishy from beating it against the wall. Daniel L. Gilbert, Contractor SeniorActive DirectorySpecialist CONUS Theater Network Operations and Security Center (CONUS-TNOSC) (520) 533-6700 DSN: 821-6700 [EMAIL PROTECTED]
RE: [ActiveDir] Remote Desktop
yes you can You can use restricted groups in group policies to add any group you want to the local "Remote Desktop Users" at each PC. Members (Users and/or groups) of the PC's local ADministrator group are also automatically allowed to connect remotly From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Wednesday, March 24, 2004 9:16 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Remote Desktop Is there a way to add Domain Admins to the Remote Users of every pc in our Domain with AD and not go to every PC?
RE: [ActiveDir] Remote Desktop
VB Script and a GPO, or Login Script. http://www.myitforum.com/articles/11/view.asp?id=2457 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Wednesday, March 24, 2004 3:16 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Remote Desktop Is there a way to add Domain Admins to the Remote Users of every pc in our Domain with AD and not go to every PC?
RE: [ActiveDir] Remote Desktop
Do you do this on the domain controller Lynden From: Seyboldt, Volker [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop yes you can You can use restricted groups in group policies to add any group you want to the local Remote Desktop Users at each PC. Members (Users and/or groups) of the PC's local ADministrator group are also automatically allowed to connect remotly From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Wednesday, March 24, 2004 9:16 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Remote Desktop Is there a way to add Domain Admins to the Remote Users of every pc in our Domain with AD and not go to every PC? This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message in not the intended recipient or the employer or agent responsible for delivering the message to the recipient, you are hereby notified that dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email or telephone, and delete this message and all of its attachments.
RE: [ActiveDir] Remote Desktop
oh, I think you should have a look at some whitepapers about implementing Group Policies in Active Directory You should implement this in a group policy of active directory and yes typically this is done on a DC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Wednesday, March 24, 2004 9:45 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Remote Desktop Do you do this on the domain controller Lynden From: Seyboldt, Volker [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote Desktop yes you can You can use restricted groups in group policies to add any group you want to the local "Remote Desktop Users" at each PC. Members (Users and/or groups) of the PC's local ADministrator group are also automatically allowed to connect remotly From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Wednesday, March 24, 2004 9:16 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Remote Desktop Is there a way to add Domain Admins to the Remote Users of every pc in our Domain with AD and not go to every PC?
RE: [ActiveDir] Remote Desktop
Do you have any white papers Lynden From: Seyboldt, Volker [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 4:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop oh, I think you should have a look at some whitepapers about implementing Group Policies in Active Directory You should implement this in a group policy of active directory and yes typically this is done on a DC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Wednesday, March 24, 2004 9:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Remote Desktop Do you do this on the domain controller Lynden From: Seyboldt, Volker [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Desktop yes you can You can use restricted groups in group policies to add any group you want to the local Remote Desktop Users at each PC. Members (Users and/or groups) of the PC's local ADministrator group are also automatically allowed to connect remotly From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Wednesday, March 24, 2004 9:16 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Remote Desktop Is there a way to add Domain Admins to the Remote Users of every pc in our Domain with AD and not go to every PC? This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message in not the intended recipient or the employer or agent responsible for delivering the message to the recipient, you are hereby notified that dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email or telephone, and delete this message and all of its attachments.
RE: [ActiveDir] Remote Desktop
try this: http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Wednesday, March 24, 2004 10:45 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Remote Desktop Do you have any white papers Lynden From: Seyboldt, Volker [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 4:18 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote Desktop oh, I think you should have a look at some whitepapers about implementing Group Policies in Active Directory You should implement this in a group policy of active directory and yes typically this is done on a DC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Wednesday, March 24, 2004 9:45 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Remote Desktop Do you do this on the domain controller Lynden From: Seyboldt, Volker [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Remote Desktop yes you can You can use restricted groups in group policies to add any group you want to the local "Remote Desktop Users" at each PC. Members (Users and/or groups) of the PC's local ADministrator group are also automatically allowed to connect remotly From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Wednesday, March 24, 2004 9:16 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Remote Desktop Is there a way to add Domain Admins to the Remote Users of every pc in our Domain with AD and not go to every PC?
