Link to home
Start Free TrialLog in
Avatar of LeviDaily
LeviDailyFlag for United States of America

asked on

Group Policy to Enable Remote Desktop on workstations

Is there a Group Policy to enable Remote Desktop on all workstations?
Avatar of shniz123
shniz123
Flag of United States of America image

ASKER CERTIFIED SOLUTION
Avatar of Jay_Jay70
Jay_Jay70
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi,

Here are a couple of snippets from a 10/30 thread in this group:

(from John)
------------------------------------------------------------------------------------------------
Remote Assistant
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Termina
l Server\fAllowToGetHelp
Use REG_DWORD with a value of 0 or 1
1 turns on 0 turns off

Remote Desktop
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Termina
l Server\fDenyTSConnections
Use REG_DWORD with a value of 0 or 1
0 turns on 1 turns off

---------------------------------------------------------------------------------------

And a WMI script from Vladimir Stoyanov [MS]
----------------------------------------------------------------------------------------
Or you could use a WMI script to do this remotely, here's a VB script
snippet, you have to change machine name and admin password:

---------------------------------------------
Function blnConnect(objService, strServer, strNameSpace, strUserName,
strPassword)

    ON ERROR RESUME NEXT

    DebugPrint "blnConnect: started"
    Dim objLocator
    blnConnect = True     'There is no error.

    ' Create Locator object to connect to remote CIM object manager

    Err.Clear
    Set objLocator = CreateObject("WbemScripting.SWbemLocator")
    If Err.Number then
        WSCript.Echo "Error 0x" & CStr(Hex(Err.Number)) & " occurred in
creating a locator object."
        If Err.Description <> "" Then
            Print "Error description: " & Err.Description & "."
            WScript.Echo "Error description: " & Err.Description & "."
        End If
        Err.Clear
        blnConnect = False     'An error occurred
        Exit Function
    End If

    Err.Clear
    ' Connect to the namespace which is either local or remote
    Set objService = objLocator.ConnectServer (strServer, strNameSpace,
strUserName, strPassword)

    If Err.Number then
        WScript.Echo "Error 0x" & CStr(Hex(Err.Number)) & " occurred in
connecting to server " _
            & strServer & "."
        If Err.Description <> "" Then
            Print "Error description: " & Err.Description & "."
            WScript.Echo "Error description: " & Err.Description & "."
        End If
        Err.Clear
        blnConnect = False     'An error occurred
    End If

    objService.Security_.impersonationlevel = 3
    if blnConnect = True then
        DebugPrint "blnConnect: succeeded"
    end if

End Function

'********************************************************************

Dim objServices
WScript.Echo "Start"

blnResult = blnConnect( objServices, "MyRemoteMachine", "root\cimv2",
"MyRemoteMachine\Administrator", "MyPassword" )

if not blnResult then
    WScript.Echo "Error connecting"
    MsgBox "Error connecting", vbExclamation, "Error"
End If

set terminal = objServices.Get("win32_TerminalServiceSetting='RDP-Tcp'")
result = terminal.SetAllowTSConnections( "1" )

WScript.Echo "Method returned result = " & result

if err <>0 then
    WScript.Echo Err.Description, "0x" & Hex(Err.Number)
end if

----------------------------------------------------------------

For more detail information to group policy, you can take look at the following articles. Hope it useful to you!
Order of processing settings
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/librarrHelp/b74be6d3-ea6c-432f-9240-61e73168021d.mspx

Order of events when starting up and logging on
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/librar...
rHelp/b74be6d3-ea6c-432f-9240-61e73168021d.mspx

To enable remote desktop and remote assistance on specific Windows XPclients, you can refer to the following steps:

I. Locate the OU contains the Windows XP computers, create a group policy,object.

II. Configure the Remote Desktop policy setting:

1. In the group policy object, click to expand Computer Configuration,click to expand Administrative Templates, click to expand WindowsmComponents, and then click to expand Terminal Services.

2. Double-click the "Allow users to connect remotely using Terminal Services" policy.

3. Set the policy to Enable, and then click OK.

III. Configure Offer Remote Assistance policy setting:

1. Locate the node: Computer Configuration\Administrative Templates\System\Remote Assistance folder
2. Locate and double click item Offer Remote Assistance or Solicited Remote Assistance to enable settings as you need.

*Note: Remote Assistance uses DCOM. In Windows XP and Windows 2003, the DCOM entry is located in the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
The String value of the DCOM entry is EnableDCOM = Y.

If this value is set to 'N' or if this value is missing, Remote Assistance will not work.

3. Run "gpupdate /force" on both client workstations and the SBS server to make the change function.

IV. Moreover, if you want to specify a group of users who can RDP to the Windows XP workstations, you can follow the steps below:

1. In Active Directory Users and Computers, create a Global group containing the users.
2. Locate the OU contains the Windows XP computers, open the related Grouppolicy object.
3. Right-click Restricted Groups (under Computer Configuration\Windows Settings\Security Settings\Restricted Groups), and then click Add Group.
4. Type "Remote Desktop Users" and click ADD, click OK. (Note: do not click Browse to browse the group. )
5. Right-click the Remote Desktop Users group, and then click Properties.
6. To the right side of the Members of this Group box, click ADD, and then click Browse.
7. Locate the group that you created, and then add it. After you do so, close the group policy.
8. On the domain controller, at a command prompt, type "gpupdate /force", and then press ENTER to refresh the policy.

Note: The original users in the Remote Desktop Users group on the Windows XP clients will be overrided.

V. Meanwhile, if your client workstations are using XP OS and have XP SP2 installed, you can configure the Windows Firewall to allow or block the remote desktop and remote assistance by using Group Policy, please refer to
the following MS article for detailed settings for these policies.

Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2
http://download.microsoft.com/download/6/8/a/68a81446-cd73-4a61-8665-ac4e8/WF_XPSP2.doc

Note: Please read the part - Windows Firewall: Allow Remote Desktop exception  Enabled only if you use Remote Desktop to connect to Windows XP with SP2-based computers.?

For more detail information to enable remote assistance policy settings you can take a look at the following articles:

Overview of Remote Assistance in Windows XP
http://support.microsoft.com/kb/300546/EN-US/

Supported connection scenarios for Remote Assistance
http://support.microsoft.com/?id=301529

300692 Description of the Remote Assistance Connection Process
http://support.microsoft.com/?id=300692

Hope above information helps! Please let me know if you have further question on the issue. I am happy to be of assistance to you.
http://www.windowsdevcenter.com/pub/a/windows/2004/05/04/serverhacks_remote.html
Avatar of Brian
I wish it was possible to enable and disable this feature through group policy but it is not.

There are some great things that may help you above but my solution is quick and easy.  Take a look at this link which will have you create a script with under 20 lines of EASY code.  In fact you don't need to edit any of it.  Just push the script out through a group policy and you're good to go.
http://www.adminprep.com/forums/How_to_Enable_Remote_Desktop_Through_a_Script/m_141/tm.htm


Brian
HOLY CRAP JAY_JAY found the policy I have been looking for my whole life.  Wow, I wonder how this got past my watchful eyes.  

Great find!!!!!!!!!!


Brian
Hey Brian,

I had the exact same reaction when Netman66 pointed it out to me....I think it is probably the worst worded policy that MS have....... completely misleading :)
Hey Hey Now i am famous on your site! Although, it was Netman who showed me.

I am a frequent visitor by the way, very impressive site

james
Thanks James.  I just wish the site would make some money so I could retire.  Email me if you want to contribute to the site.

Brian
Did I hear my name? :o)

All credit where credit due!
Your integrity and honesty never cease to impress me James!

@Brian - nice site bud!  Very clean.  Now you just need some traffic.  Email me and we'll talk.  It's my alias here at gmail.

Avatar of skrombeen
skrombeen

does anyone have the link posted above?
If it was the link to the AdminPrep article you can find it here - http://msmvps.com/blogs/ad/archive/2006/07/28/enable-remote-desktop-through-a-script.aspx

Brian
awesome thanks