Re: remote desktop policy
From: Bruce Sanderson (bsanders_at_junk.junk)
Date: 02/27/05
- Previous message: Fran: "Re: How to grant an app Admin privaleges?"
- In reply to: Fabrussio: "Re: remote desktop policy"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 26 Feb 2005 20:49:31 -0800
The setting in Local Policies is available for Windows 2000 SP2 or later.
The setting in Administrative Templates, Windows Components is available for
Windows XP and Windows 2003 or later. Sorry, I should have checked that
before making my post.
However, none of these settings will have any affect on third party remote
control software - they apply only to features built into Windows.
-- Bruce Sanderson MVP Printing http://members.shaw.ca/bsanders It is perfectly useless to know the right answer to the wrong question. "Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message news:6DA72642-FCA5-449C-A20A-0E530B729CFA@microsoft.com... > Thanks for the excellent answer, but I dont appear to have the terminal > services option in my GPO. Is there an extra ADM that needs installing? > > The reason we are doing is that we are a school and the users are of > course > very restricted. I want to access the servers from clients sometimes (so > can > I just add domain admin as an allowed user?), but students have been > getting > hold of 3rd party remote desktop software and taking control of other > workstations. > > > Thanks > > "Bruce Sanderson" wrote: > >> Computer Configuration >> Windows >> Security Settings >> Local Policies >> User Rights Assignment >> Allow log on through Terminal Services - turn on the >> check mark for "Define these policy settings" but leave the list of user >> and >> groups empty >> Deny log on through Terminal Services - turn on the >> check mark for "Define these policy settings" and add Everyone to the >> list >> of users and groups >> >> Computer Configuration >> Administrative Templates >> Windows Components >> Terminal Services >> Allow users to connect remotely using Terminal Services - >> Disable >> >> This should cause all of the computers that have these settings applied >> (via >> GPO) to reject any attempt to log on to them using the Microsoft Remote >> Desktop Client (or the older Terminal Services client). >> >> These policies affect the computer that the attempt to connect remotely >> is >> targeted at (that is, the Terminal Services component), on both servers >> and >> workstations (Windows 2000 SP2 or later). >> >> The Remote Desktop Client itself doesn't have any settings to control >> which >> computer it can be targetted at. I suppose you could remove the Remote >> Desktop Client (mstsc.exe) from the computers so no one can use it, but >> if >> all the servers and workstations reject the connection attempt, this >> would >> be unnecessary. If the users are administrators on their workstations, >> then >> they could just re-install it. I'm not sure what you mean exactly by >> "mobile disk", but in any case, the lock down is on the target computer, >> not >> the source computer, so it doesn't matter where the Remote Desktop Client >> software is located. >> >> I'm not sure why exactly one would want to do this. The ability of >> administrators to connect to computers remotely, especially servers, is >> very >> valuable. Windows 2003 Server comes with this ability installed by >> default >> (equivalent to the Windows 2000 Terminal Services in Remote >> Administration >> Mode) - the settings above would render this inoperable. For example, >> all >> of our servers are in a remote basement with very tight physical >> security; >> we do all of our administration remotely using the Remote Desktop >> Client - >> in fact, I've never actually physically seen them. Remotely connecting >> to >> workstations is very useful for tracking down problems, installing or >> configuring software etc. With workstations in 20 odd remote locations >> (some >> hundreds of miles away), we find it an essential capability. By >> appropriately configuring the settings above, you can restrict the >> ability >> to connect remotely to a single user account or a group (of >> administrators). >> >> -- >> Bruce Sanderson MVP Printing >> http://members.shaw.ca/bsanders >> >> It is perfectly useless to know the right answer to the wrong question. >> >> >> >> "Fabrussio" <Fabrussio@discussions.microsoft.com> wrote in message >> news:7D2ED97D-BEA8-4B68-96A0-11771DC4F413@microsoft.com... >> > win2000 server and clients >> > what is the best procedure for preventing remote desktop connections >> > between >> > both workstation-workstation and workstation-server? >> > I assume there are policies in the GPO and within the actual software >> > itself? >> > >> > Will this work if the remote deskotp software is being run from >> > software >> > on >> > a mobile disk? >> > >> > thanks 4 any advice >> >> >>
- Previous message: Fran: "Re: How to grant an app Admin privaleges?"
- In reply to: Fabrussio: "Re: remote desktop policy"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
