Remote Desktop

[rdrunner40]

Hi All,

I have got remote desktop to work on two of our WIN XP Pro Pc's on our site.

I am a member of our administrators group and as we are shortly going to spilt into two sites i have been tasked with getting the above to work.

NOW i have managed to connect other PC fine, the only problem that i entailed is that i have to logon to the remote PC as Administrator rather than the users account. When i do this i automatically disconnect the local user.

I want to logon as the local user remotely.

When i try to do this i get the following message :

the local policy of this machine does not enable you to logon interactively......

I can logon as the administrator but as there will be up to 30 different pc's to configure i would like to get it right first time up. The Administrators Desktop is not what i want to see ... i need to be able to logon as the local user and see their desktop ......

What am i doing wrong ?

regards

Murray

 

[bcastner]

See issues #1 and #2, particularly #2:

http://support.microsoft.com/default.aspx?kbid=823659

 

[westredd]

have you checked the local policy of the PCs in question. There is probably a policy only allowing admins to control over RDP.

 

[Dollar]

A standard user would need to be a member of "Remote Desktop Users" on the local PC. Example:
You want to connect to "WorkstationA" as the user who is currently logged on to "WorkstationA" (as you described). For a standard user to remote desktop to another PC - they must (minimum) be a member of the Remote Desktop Users group on the PC they want to "Remote to".

How I would set this up:
Make a domain group called "RemoteUsers"
Add corporate users to "RemoterUsers" domain group
Add "RemoteUsers" domain group to PCs "Remote Desktop Users" group

The reasons are plentiful (I'll give you three good ones):
1. I will then be able to manage joiners and leavers from ONE place (yeah - I'm lazy)
2. If users switch PCs, the group is already there - they have access and you don't have to waste time setting up new user accounts in the group
3. if you rebuild a PC, you only have to add one group - not 100 user names.

This change does not affect the users privileges, other than allow remotely connecting to another PC using remote desktop.

One glitch in this fairy tale:
If you have the policy "Allow access to this PC from network" set only for Administrators, it may conflict, and users may be denied.

Hope this helps.

 

[magnetmart]

I think what you need is Remote Assistance and NOT Remote Desktop. Remote desktop will definately log off the current user (if you're an administrator!), but if you want to see what a user has on their desktop, Remote Assistance is all you need. And you can add a GPO such that only members of the admin group can do this. In my Domain, I have no users with local accounts! Every user is a member of the local administrators account using the domain login account. Since it's WinXP, all these are cached meaning that even if they're offline, they will still be able to login onto their machines and see what they see in the office!. If this is what you need please let me know so that I can help you further.

Thanks

Mangat.

 

[bcastner]

Every user is a member of the local administrators account using the domain login account. Since it's WinXP, all these are cached meaning that even if they're offline, they will still be able to login onto their machines and see what they see in the office!.

You do not have to be a local Administrator to use cached credentials.

You do not want every user to be a local Administrator.
Do you?

 

[magnetmart]

1. No, You do not have to be a local adnministrator to use cached credentials, just that you cannot log on remotely if you're not a member of the other machine's admin group!

2. Not every user to be a member of the each machine, but every user who has a machine is definately a member of their own local admin groups e.g. if I have 5 users with 5 machines, each user is a member of their own admin groups machine, not all the other users. In general, I don;t have users sharing machines. Each user is asigned their own machines but another user can definatley log onto any machine, only that they will not be able to install anything since they're not admins of that machine.

Do you mean that your place, no one has admin rights on their machine, so for every small issue that is even posted like updates or remote installations, you re the only one who does it? Please guide me.. I could be missing something..

Thanks

 

[bcastner]

...just that you cannot log on remotely if you're not a member of the other machine's admin group!"

This is not true.

"Do you mean that your place, no one has admin rights on their machine, so for every small issue that is even posted like updates or remote installations, you re the only one who does it?"

Well, I let SuS handle the Windows Updates, and I let Group Policy do the installs as published applications.

 

[bcastner]

I should add, that it is not in any way unusual for the Domain Administrator to decide to remove the local Administrator Group completely.

 

[magnetmart]

Yes, you're very right, I think I meant Remote Assistance and not Remote Desktop!.

How about if you have inhouse applications and you don't use SuS?

Looks like it's now our forum!