[gptalk] Re: handling remote desktop
- From: rpo <rpo8373@xxxxxxxxx>
- To: gptalk@xxxxxxxxxxxxx
- Date: Sat, 15 Nov 2008 00:24:12 +1000
thanks omar, your feedback is appreciated.
daniel.
On 14/11/2008, Omar Droubi <omar@xxxxxxxxxxxxxxxxxxxxx> wrote:
> I would recommend that you do not mess with the Allow logon through terminal
> services User right assignment.
>
> Instead for Remote desktop- I would be a proponent of your idea of creating a
> domain GG and using GPO restricted groups to make the GG a member of the
> local remote desktop users group.
>
> If you have a security concern- they you will need to address that by having
> multiple domain GG groups and multiple RD GPO policies and segment your
> computers with domain computer groups or in separate OUs
>
> As for remote assistance- I would try it out 1st to see how you like it-
> Almost every time I tried to deploy remote assistance the performance was so
> poor that we scrapped it. Anyway- if you do want to use it- RA is great on
> terminal servers- but in a TS you can use TS remote control anyway- but that
> is a different subject.
>
> Back to Remote assistance- I would use the Offer remote assistance setting in
> a GPO and add a domain GG- just make sure you test it out as there is
> something I can quite remember about it- like if you add groups 1,2 & 3 to
> offer remote assistance that if you change it to groups 1 & 2 that 3 may
> remain- but it has been while and that area of my brain is now archived.
>
> Also- don't forget to also use GPO to enable the RA for solicitation if you
> desire that and to enable Remote desktop and then to make the necessary FW
> modifications for both the domain and if necessary the standard FW profile
> (or more for Vista) to allow for RA and RDP. RDP is easy- Remote Assistance
> requires about 3 or 4 custom program and port rules in the FW policy to work.
>
>
> Omar Droubi
> omar@xxxxxxxxxxxxxxxxxxxxx
> 650-726-0300
> ________________________________________
> From: gptalk-bounce@xxxxxxxxxxxxx [gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of
> rpo [rpo8373@xxxxxxxxx]
> Sent: Thursday, November 13, 2008 03:32 PM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] handling remote desktop
>
> hi all,
>
> i'm just curious how people here handle remote desktop and remote
> assistance in their organisation.
>
> we have a requirement for certain non-admin users to be able to remote
> desktop/offer remote assistance to machines on occasion.
>
> should i manually add the user to the local remote desktop users group
> on the machine, or should i enforce a policy? my issue with this is
> that it gives the user the ability to remote desktop to all machines.
> how risky is this?
>
> my plan was to create a domain group called 'rdp users' and modify the
> 'allow logon through terminal services' policy to incorporate this
> group. the domain group 'remote desktop users' in my understanding, is
> a builtin group and only applicable to dc's?
>
> as for remote assistance, i was simply going to create a 'remote
> assistance users' domain group and modify the offer remote assistance
> setting in the admin templates\system\remote assistance template.
>
> how does all this sound?
>
> daniel.
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at //www.freelists.org/archives/gptalk/
> ************************
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at //www.freelists.org/archives/gptalk/
> ************************
>
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
Other related posts:
