RE: How to enforce Remote Assistance and Remote Desktop via GPO?

Tech-Archive recommends: Speed Up your PC by fixing your registry

Hi Sean,

Thanks for your update. I am glad to know that information is useful to
you-).

Yes, you are right. When the policy setting "user Configuration Settings
Disabled" is enabled, users can not see the option locally.

Please let me know if you have further question on the issue. I am happy to
be of assistance to you!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
Thread-Topic: How to enforce Remote Assistance and Remote Desktop via GPO?
thread-index: AcYwvtzpRE/uiu8CRMWbb31nnGDuQA==
X-WBNR-Posting-Host: 67.107.193.136
From: "=?Utf-8?B?U2VhbiBWcmVlbGFuZA==?="
<SeanVreeland@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <C5D897BC-A6D1-4480-8ECD-AF7C1F4B0B92@xxxxxxxxxxxxx>
<WjoR3LHMGHA.768@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: How to enforce Remote Assistance and Remote Desktop via GPO?
Date: Mon, 13 Feb 2006 08:59:33 -0800
Lines: 192
Message-ID: <98FD7637-80C1-4435-9E47-25E1B6899D3D@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:244146
X-Tomcat-NG: microsoft.public.windows.server.sbs

Jenny,

Thanks for your reply. All of this makes sense and is very helpful.

however, I have a related GPO question:

By setting the GPO status to "user Configuration Settings Disabled" then
that means the GPO is Enabled and the user cannot change this setting,
rather
than if I just have it set to "Enable" correct?

""Jenny wu [MSFT]"" wrote:

Hi,

Thanks for using the SBS newsgroup.

I am sorry for the delayed response due to weekend. Please understand
that
the newsgroups are staffed weekdays by Microsoft Support professionals
to
answer your systems and applications questions. Your understanding is
greatly appreciated!

From your description, I understand that you want to enforce remote
assistance group policy settings and remote desktop group policy
settings
through GPO. If I am off base, please don't hesitate to let me know.

Since there is an order to apply group policies when domain users and
computers logon to domain, we can configure the remote desktop and
remote
assistance policy settings in the domain/OU level. In this way the local
policy settings will not take effect event they are configured.

The Group Policy settings are processed in the following order: Local
Group
Policy object -> Site -> Domain -> Organizational units

This order means that the local Group Policy object is processed first,
and
Group Policy objects that are linked to the organizational unit of which
the computer or user is a direct member are processed last, which
overwrites the earlier Group Policy objects.

For more detail information to group policy, you can take look at the
following articles. Hope it useful to you!
Order of processing settings

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/b74be6d3-ea6c-432f-9240-61e73168021d.mspx

Order of events when starting up and logging on

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/b74be6d3-ea6c-432f-9240-61e73168021d.mspx

To enable remote desktop and remote assistance on specific Windows XP
clients, you can refer to the following steps:

I. Locate the OU contains the Windows XP computers, create a group
policy
object.

II. Configure the Remote Desktop policy setting:

1. In the group policy object, click to expand Computer Configuration,
click to expand Administrative Templates, click to expand Windows
Components, and then click to expand Terminal Services.

2. Double-click the "Allow users to connect remotely using Terminal
Services" policy.

3. Set the policy to Enable, and then click OK.

III. Configure Offer Remote Assistance policy setting:

1. Locate the node: Computer Configuration\Administrative
Templates\System\Remote Assistance folder
2. Locate and double click item Offer Remote Assistance or Solicited
Remote
Assistance to enable settings as you need.

*Note: Remote Assistance uses DCOM. In Windows XP and Windows 2003, the
DCOM entry is located in the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
The String value of the DCOM entry is EnableDCOM = Y. If this value is
set
to 'N' or if this value is missing, Remote Assistance will not work.

3. Run "gpupdate /force" on both client workstations and the SBS server
to
make the change function.

IV. Moreover, if you want to specify a group of users who can RDP to the
Windows XP workstations, you can follow the steps below:

1. In Active Directory Users and Computers, create a Global group
containing the users.
2. Locate the OU contains the Windows XP computers, open the related
Group
policy object.
3. Right-click Restricted Groups (under Computer Configuration\Windows
Settings\Security Settings\Restricted Groups), and then click Add Group.
4. Type "Remote Desktop Users" and click ADD, click OK. (Note: do not
click
Browse to browse the group. )
5. Right-click the Remote Desktop Users group, and then click Properties.
6. To the right side of the Members of this Group box, click ADD, and
then
click Browse.
7. Locate the group that you created, and then add it. After you do so,
close the group policy.
8. On the domain controller, at a command prompt, type "gpupdate
/force",
and then press ENTER to refresh the policy.

Note: The original users in the Remote Desktop Users group on the
Windows
XP clients will be overrided.

V. Meanwhile, if your client workstations are using XP OS and have XP
SP2
installed, you can configure the Windows Firewall to allow or block the
remote desktop and remote assistance by using Group Policy, please refer
to
the following MS article for detailed settings for these policies.

Deploying Windows Firewall Settings for Microsoft Windows XP with
Service
Pack 2

http://download.microsoft.com/download/6/8/a/68a81446-cd73-4a61-8665-8a67781
ac4e8/WF_XPSP2.doc

Note: Please read the part - Windows Firewall: Allow Remote Desktop
exception Enabled only if you use Remote Desktop to connect to Windows
XP
with SP2-based computers.?

For more detail information to enable remote assistance policy settings
you
can take a look at the following articles:

Overview of Remote Assistance in Windows XP
http://support.microsoft.com/kb/300546/EN-US/

Supported connection scenarios for Remote Assistance
http://support.microsoft.com/?id=301529

300692 Description of the Remote Assistance Connection Process
http://support.microsoft.com/?id=300692

Hope above information helps! Please let me know if you have further
question on the issue. I am happy to be of assistance to you.

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
======================================================

PLEASE NOTE the newsgroup SECURE CODE and PASSWORD will be updated at
9:00
AM PST, February 14, 2006. Please complete a re-registration process by
entering the secure code mmpng2006 when prompted. Once you have entered
the
secure code mmpng2006, you will be able to update your profile and
access
the partner newsgroups.

======================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.

======================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.

======================================================

--------------------
Thread-Topic: How to enforce Remote Assistance and Remote Desktop via
GPO?
thread-index: AcYufnRegqZZTF1CTgyCylBY95ALng==
X-WBNR-Posting-Host: 67.107.193.136
From: "=?Utf-8?B?U2VhbiBWcmVlbGFuZA==?="
<SeanVreeland@xxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: How to enforce Remote Assistance and Remote Desktop via GPO?
Date: Fri, 10 Feb 2006 12:13:27 -0800
Lines: 6
Message-ID: <C5D897BC-A6D1-4480-8ECD-AF7C1F4B0B92@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:243690
X-Tomcat-NG: microsoft.public.windows.server.sbs


How can I create a GPO that will enable both Remote Assistance and
Remote
Desktop while disabling the feature to users so that they cannot turn
it
off?

Thanks






.

Relevant Pages

  • RE: How to enforce Remote Assistance and Remote Desktop via GPO?
    ... When the policy setting "user Configuration Settings ... I understand that you want to enforce remote ... policy settings will not take effect event they are configured. ... To enable remote desktop and remote assistance on specific Windows XP ...
    (microsoft.public.windows.server.sbs)
  • Remote desktop and group policy
    ... I have created a domain policy which sets up several ... on remote desktop and remote assistance to all clients ... local computer and checks "Remote desktop". ...
    (microsoft.public.windows.group_policy)
  • RE: Remote Desktop on client using GPM
    ... Group Policy Management ... The settings in this GPO can only apply to the following groups, users, and ... Offer Remote Assistance Enabled ... Solicited Remote Assistance Enabled ...
    (microsoft.public.windows.server.sbs)
  • RE: Remote Workplace
    ... Please ensure the laptop located in LAN network and joined the domain, ... Click Select Remote Users, ensure the user is in the users list. ... quotation marks) on the computer and then logoff and logon the laptop. ... The error "The local policy of this system does not permit you to log on ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW and Remote desktop stopped working on all clients
    ... After diggin through ALL the group policies, I found Remote ... Desktop DISABLED under the Account Lockout policy - I don't think I've even ... adminsitrator or another account with Domain Admin role; also the server ...
    (microsoft.public.windows.server.sbs)