[gptalk] Re: handling remote desktop

  • From: Omar Droubi <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: "gptalk@xxxxxxxxxxxxx" <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 13 Nov 2008 16:05:50 -0800

I would recommend that you do not mess with the Allow logon through terminal 
services User right assignment.

Instead for Remote desktop- I would be a proponent of your idea of creating a 
domain GG and using GPO restricted groups to make the GG a member of the local 
remote desktop users group.

If you have a security concern- they you will need to address that by having 
multiple domain GG groups and multiple RD GPO policies and segment your 
computers with domain computer groups or in separate OUs

As for remote assistance- I would try it out 1st to see how you like it- Almost 
every time I tried to deploy remote assistance the performance was so poor that 
we scrapped it. Anyway- if you do want to use it- RA is great on terminal 
servers- but in a TS you can use TS remote control anyway- but that is a 
different subject.

Back to Remote assistance- I would use the Offer remote assistance setting in a 
GPO and add a domain GG- just make sure you test it out as there is something I 
can quite remember about it- like if you add groups 1,2 & 3 to offer remote 
assistance that if you change it to groups 1 & 2 that 3 may remain- but it has 
been while and that area of my brain is now archived.

Also- don't forget to also use GPO to enable the RA for solicitation if you 
desire that and to enable Remote desktop and then to make the necessary FW 
modifications for both the domain and if necessary the standard FW profile (or 
more for Vista) to allow for RA and RDP. RDP is easy- Remote Assistance 
requires about 3 or 4 custom program and port rules in the FW policy to work.


Omar Droubi
omar@xxxxxxxxxxxxxxxxxxxxx
650-726-0300
________________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of 
rpo [rpo8373@xxxxxxxxx]
Sent: Thursday, November 13, 2008 03:32 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] handling remote desktop

hi all,

i'm just curious how people here handle remote desktop and remote
assistance in their organisation.

we have a requirement for certain non-admin users to be able to remote
desktop/offer remote assistance to machines on occasion.

should i manually add the user to the local remote desktop users group
on the machine, or should i enforce a policy? my issue with this is
that it gives the user the ability to remote desktop to all machines.
how risky is this?

my plan was to create a domain group called 'rdp users' and modify the
'allow logon through terminal services' policy to incorporate this
group. the domain group 'remote desktop users' in my understanding, is
a builtin group and only applicable to dc's?

as for remote assistance, i was simply going to create a 'remote
assistance users' domain group and modify the offer remote assistance
setting in the admin templates\system\remote assistance template.

how does all this sound?

daniel.
***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: