thanks omar, your feedback is appreciated. daniel. On 14/11/2008, Omar Droubi <omar@xxxxxxxxxxxxxxxxxxxxx> wrote: > I would recommend that you do not mess with the Allow logon through terminal > services User right assignment. > > Instead for Remote desktop- I would be a proponent of your idea of creating a > domain GG and using GPO restricted groups to make the GG a member of the > local remote desktop users group. > > If you have a security concern- they you will need to address that by having > multiple domain GG groups and multiple RD GPO policies and segment your > computers with domain computer groups or in separate OUs > > As for remote assistance- I would try it out 1st to see how you like it- > Almost every time I tried to deploy remote assistance the performance was so > poor that we scrapped it. Anyway- if you do want to use it- RA is great on > terminal servers- but in a TS you can use TS remote control anyway- but that > is a different subject. > > Back to Remote assistance- I would use the Offer remote assistance setting in > a GPO and add a domain GG- just make sure you test it out as there is > something I can quite remember about it- like if you add groups 1,2 & 3 to > offer remote assistance that if you change it to groups 1 & 2 that 3 may > remain- but it has been while and that area of my brain is now archived. > > Also- don't forget to also use GPO to enable the RA for solicitation if you > desire that and to enable Remote desktop and then to make the necessary FW > modifications for both the domain and if necessary the standard FW profile > (or more for Vista) to allow for RA and RDP. RDP is easy- Remote Assistance > requires about 3 or 4 custom program and port rules in the FW policy to work. > > > Omar Droubi > omar@xxxxxxxxxxxxxxxxxxxxx > 650-726-0300 > ________________________________________ > From: gptalk-bounce@xxxxxxxxxxxxx [gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of > rpo [rpo8373@xxxxxxxxx] > Sent: Thursday, November 13, 2008 03:32 PM > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] handling remote desktop > > hi all, > > i'm just curious how people here handle remote desktop and remote > assistance in their organisation. > > we have a requirement for certain non-admin users to be able to remote > desktop/offer remote assistance to machines on occasion. > > should i manually add the user to the local remote desktop users group > on the machine, or should i enforce a policy? my issue with this is > that it gives the user the ability to remote desktop to all machines. > how risky is this? > > my plan was to create a domain group called 'rdp users' and modify the > 'allow logon through terminal services' policy to incorporate this > group. the domain group 'remote desktop users' in my understanding, is > a builtin group and only applicable to dc's? > > as for remote assistance, i was simply going to create a 'remote > assistance users' domain group and modify the offer remote assistance > setting in the admin templates\system\remote assistance template. > > how does all this sound? > > daniel. > *********************** > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by > logging into the freelists.org Web interface. Archives for the list are > available at //www.freelists.org/archives/gptalk/ > ************************ > *********************** > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by > logging into the freelists.org Web interface. Archives for the list are > available at //www.freelists.org/archives/gptalk/ > ************************ > *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************