LeviDaily
asked on
Group Policy to Enable Remote Desktop on workstations
Is there a Group Policy to enable Remote Desktop on all workstations?
http://technet2.microsoft.com/WindowsServer/en/library/1e4a44de-2be1-4d29-9387-9f04b79cc17a1033.mspx?mfr=true
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
Here are a couple of snippets from a 10/30 thread in this group:
(from John)
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ----------
Remote Assistant
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Co ntrol\Term ina
l Server\fAllowToGetHelp
Use REG_DWORD with a value of 0 or 1
1 turns on 0 turns off
Remote Desktop
HKEY_LOCAL_MACHINE\System\ CurrentCon trolSet\Co ntrol\Term ina
l Server\fDenyTSConnections
Use REG_DWORD with a value of 0 or 1
0 turns on 1 turns off
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- -
And a WMI script from Vladimir Stoyanov [MS]
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- --
Or you could use a WMI script to do this remotely, here's a VB script
snippet, you have to change machine name and admin password:
-------------------------- ---------- ---------
Function blnConnect(objService, strServer, strNameSpace, strUserName,
strPassword)
ON ERROR RESUME NEXT
DebugPrint "blnConnect: started"
Dim objLocator
blnConnect = True 'There is no error.
' Create Locator object to connect to remote CIM object manager
Err.Clear
Set objLocator = CreateObject("WbemScriptin g.SWbemLoc ator")
If Err.Number then
WSCript.Echo "Error 0x" & CStr(Hex(Err.Number)) & " occurred in
creating a locator object."
If Err.Description <> "" Then
Print "Error description: " & Err.Description & "."
WScript.Echo "Error description: " & Err.Description & "."
End If
Err.Clear
blnConnect = False 'An error occurred
Exit Function
End If
Err.Clear
' Connect to the namespace which is either local or remote
Set objService = objLocator.ConnectServer (strServer, strNameSpace,
strUserName, strPassword)
If Err.Number then
WScript.Echo "Error 0x" & CStr(Hex(Err.Number)) & " occurred in
connecting to server " _
& strServer & "."
If Err.Description <> "" Then
Print "Error description: " & Err.Description & "."
WScript.Echo "Error description: " & Err.Description & "."
End If
Err.Clear
blnConnect = False 'An error occurred
End If
objService.Security_.imper sonationle vel = 3
if blnConnect = True then
DebugPrint "blnConnect: succeeded"
end if
End Function
'************************* ********** ********** ********** ********** ***
Dim objServices
WScript.Echo "Start"
blnResult = blnConnect( objServices, "MyRemoteMachine", "root\cimv2",
"MyRemoteMachine\Administr ator", "MyPassword" )
if not blnResult then
WScript.Echo "Error connecting"
MsgBox "Error connecting", vbExclamation, "Error"
End If
set terminal = objServices.Get("win32_Ter minalServi ceSetting= 'RDP-Tcp'" )
result = terminal.SetAllowTSConnect ions( "1" )
WScript.Echo "Method returned result = " & result
if err <>0 then
WScript.Echo Err.Description, "0x" & Hex(Err.Number)
end if
-------------------------- ---------- ---------- ---------- --------
For more detail information to group policy, you can take look at the following articles. Hope it useful to you!
Order of processing settings
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/librarrHelp/b74be6d3-ea6c-432f-9240-61e73168021d.mspx
Order of events when starting up and logging on
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/librar...
rHelp/b74be6d3-ea6c-432f-9 240-61e731 68021d.msp x
To enable remote desktop and remote assistance on specific Windows XPclients, you can refer to the following steps:
I. Locate the OU contains the Windows XP computers, create a group policy,object.
II. Configure the Remote Desktop policy setting:
1. In the group policy object, click to expand Computer Configuration,click to expand Administrative Templates, click to expand WindowsmComponents, and then click to expand Terminal Services.
2. Double-click the "Allow users to connect remotely using Terminal Services" policy.
3. Set the policy to Enable, and then click OK.
III. Configure Offer Remote Assistance policy setting:
1. Locate the node: Computer Configuration\Administrati ve Templates\System\Remote Assistance folder
2. Locate and double click item Offer Remote Assistance or Solicited Remote Assistance to enable settings as you need.
*Note: Remote Assistance uses DCOM. In Windows XP and Windows 2003, the DCOM entry is located in the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Ole
The String value of the DCOM entry is EnableDCOM = Y.
If this value is set to 'N' or if this value is missing, Remote Assistance will not work.
3. Run "gpupdate /force" on both client workstations and the SBS server to make the change function.
IV. Moreover, if you want to specify a group of users who can RDP to the Windows XP workstations, you can follow the steps below:
1. In Active Directory Users and Computers, create a Global group containing the users.
2. Locate the OU contains the Windows XP computers, open the related Grouppolicy object.
3. Right-click Restricted Groups (under Computer Configuration\Windows Settings\Security Settings\Restricted Groups), and then click Add Group.
4. Type "Remote Desktop Users" and click ADD, click OK. (Note: do not click Browse to browse the group. )
5. Right-click the Remote Desktop Users group, and then click Properties.
6. To the right side of the Members of this Group box, click ADD, and then click Browse.
7. Locate the group that you created, and then add it. After you do so, close the group policy.
8. On the domain controller, at a command prompt, type "gpupdate /force", and then press ENTER to refresh the policy.
Note: The original users in the Remote Desktop Users group on the Windows XP clients will be overrided.
V. Meanwhile, if your client workstations are using XP OS and have XP SP2 installed, you can configure the Windows Firewall to allow or block the remote desktop and remote assistance by using Group Policy, please refer to
the following MS article for detailed settings for these policies.
Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2
http://download.microsoft.com/download/6/8/a/68a81446-cd73-4a61-8665-ac4e8/WF_XPSP2.doc
Note: Please read the part - Windows Firewall: Allow Remote Desktop exception Enabled only if you use Remote Desktop to connect to Windows XP with SP2-based computers.?
For more detail information to enable remote assistance policy settings you can take a look at the following articles:
Overview of Remote Assistance in Windows XP
http://support.microsoft.com/kb/300546/EN-US/
Supported connection scenarios for Remote Assistance
http://support.microsoft.com/?id=301529
300692 Description of the Remote Assistance Connection Process
http://support.microsoft.com/?id=300692
Hope above information helps! Please let me know if you have further question on the issue. I am happy to be of assistance to you.
http://www.windowsdevcenter.com/pub/a/windows/2004/05/04/serverhacks_remote.html
Here are a couple of snippets from a 10/30 thread in this group:
(from John)
--------------------------
Remote Assistant
HKEY_LOCAL_MACHINE\SYSTEM\
l Server\fAllowToGetHelp
Use REG_DWORD with a value of 0 or 1
1 turns on 0 turns off
Remote Desktop
HKEY_LOCAL_MACHINE\System\
l Server\fDenyTSConnections
Use REG_DWORD with a value of 0 or 1
0 turns on 1 turns off
--------------------------
And a WMI script from Vladimir Stoyanov [MS]
--------------------------
Or you could use a WMI script to do this remotely, here's a VB script
snippet, you have to change machine name and admin password:
--------------------------
Function blnConnect(objService, strServer, strNameSpace, strUserName,
strPassword)
ON ERROR RESUME NEXT
DebugPrint "blnConnect: started"
Dim objLocator
blnConnect = True 'There is no error.
' Create Locator object to connect to remote CIM object manager
Err.Clear
Set objLocator = CreateObject("WbemScriptin
If Err.Number then
WSCript.Echo "Error 0x" & CStr(Hex(Err.Number)) & " occurred in
creating a locator object."
If Err.Description <> "" Then
Print "Error description: " & Err.Description & "."
WScript.Echo "Error description: " & Err.Description & "."
End If
Err.Clear
blnConnect = False 'An error occurred
Exit Function
End If
Err.Clear
' Connect to the namespace which is either local or remote
Set objService = objLocator.ConnectServer (strServer, strNameSpace,
strUserName, strPassword)
If Err.Number then
WScript.Echo "Error 0x" & CStr(Hex(Err.Number)) & " occurred in
connecting to server " _
& strServer & "."
If Err.Description <> "" Then
Print "Error description: " & Err.Description & "."
WScript.Echo "Error description: " & Err.Description & "."
End If
Err.Clear
blnConnect = False 'An error occurred
End If
objService.Security_.imper
if blnConnect = True then
DebugPrint "blnConnect: succeeded"
end if
End Function
'*************************
Dim objServices
WScript.Echo "Start"
blnResult = blnConnect( objServices, "MyRemoteMachine", "root\cimv2",
"MyRemoteMachine\Administr
if not blnResult then
WScript.Echo "Error connecting"
MsgBox "Error connecting", vbExclamation, "Error"
End If
set terminal = objServices.Get("win32_Ter
result = terminal.SetAllowTSConnect
WScript.Echo "Method returned result = " & result
if err <>0 then
WScript.Echo Err.Description, "0x" & Hex(Err.Number)
end if
--------------------------
For more detail information to group policy, you can take look at the following articles. Hope it useful to you!
Order of processing settings
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/librarrHelp/b74be6d3-ea6c-432f-9240-61e73168021d.mspx
Order of events when starting up and logging on
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/librar...
rHelp/b74be6d3-ea6c-432f-9
To enable remote desktop and remote assistance on specific Windows XPclients, you can refer to the following steps:
I. Locate the OU contains the Windows XP computers, create a group policy,object.
II. Configure the Remote Desktop policy setting:
1. In the group policy object, click to expand Computer Configuration,click to expand Administrative Templates, click to expand WindowsmComponents, and then click to expand Terminal Services.
2. Double-click the "Allow users to connect remotely using Terminal Services" policy.
3. Set the policy to Enable, and then click OK.
III. Configure Offer Remote Assistance policy setting:
1. Locate the node: Computer Configuration\Administrati
2. Locate and double click item Offer Remote Assistance or Solicited Remote Assistance to enable settings as you need.
*Note: Remote Assistance uses DCOM. In Windows XP and Windows 2003, the DCOM entry is located in the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWAR
The String value of the DCOM entry is EnableDCOM = Y.
If this value is set to 'N' or if this value is missing, Remote Assistance will not work.
3. Run "gpupdate /force" on both client workstations and the SBS server to make the change function.
IV. Moreover, if you want to specify a group of users who can RDP to the Windows XP workstations, you can follow the steps below:
1. In Active Directory Users and Computers, create a Global group containing the users.
2. Locate the OU contains the Windows XP computers, open the related Grouppolicy object.
3. Right-click Restricted Groups (under Computer Configuration\Windows Settings\Security Settings\Restricted Groups), and then click Add Group.
4. Type "Remote Desktop Users" and click ADD, click OK. (Note: do not click Browse to browse the group. )
5. Right-click the Remote Desktop Users group, and then click Properties.
6. To the right side of the Members of this Group box, click ADD, and then click Browse.
7. Locate the group that you created, and then add it. After you do so, close the group policy.
8. On the domain controller, at a command prompt, type "gpupdate /force", and then press ENTER to refresh the policy.
Note: The original users in the Remote Desktop Users group on the Windows XP clients will be overrided.
V. Meanwhile, if your client workstations are using XP OS and have XP SP2 installed, you can configure the Windows Firewall to allow or block the remote desktop and remote assistance by using Group Policy, please refer to
the following MS article for detailed settings for these policies.
Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2
http://download.microsoft.com/download/6/8/a/68a81446-cd73-4a61-8665-ac4e8/WF_XPSP2.doc
Note: Please read the part - Windows Firewall: Allow Remote Desktop exception Enabled only if you use Remote Desktop to connect to Windows XP with SP2-based computers.?
For more detail information to enable remote assistance policy settings you can take a look at the following articles:
Overview of Remote Assistance in Windows XP
http://support.microsoft.com/kb/300546/EN-US/
Supported connection scenarios for Remote Assistance
http://support.microsoft.com/?id=301529
300692 Description of the Remote Assistance Connection Process
http://support.microsoft.com/?id=300692
Hope above information helps! Please let me know if you have further question on the issue. I am happy to be of assistance to you.
http://www.windowsdevcenter.com/pub/a/windows/2004/05/04/serverhacks_remote.html
I wish it was possible to enable and disable this feature through group policy but it is not.
There are some great things that may help you above but my solution is quick and easy. Take a look at this link which will have you create a script with under 20 lines of EASY code. In fact you don't need to edit any of it. Just push the script out through a group policy and you're good to go.
http://www.adminprep.com/forums/How_to_Enable_Remote_Desktop_Through_a_Script/m_141/tm.htm
Brian
There are some great things that may help you above but my solution is quick and easy. Take a look at this link which will have you create a script with under 20 lines of EASY code. In fact you don't need to edit any of it. Just push the script out through a group policy and you're good to go.
http://www.adminprep.com/forums/How_to_Enable_Remote_Desktop_Through_a_Script/m_141/tm.htm
Brian
HOLY CRAP JAY_JAY found the policy I have been looking for my whole life. Wow, I wonder how this got past my watchful eyes.
Great find!!!!!!!!!!
Brian
Great find!!!!!!!!!!
Brian
Hey Brian,
I had the exact same reaction when Netman66 pointed it out to me....I think it is probably the worst worded policy that MS have....... completely misleading :)
I had the exact same reaction when Netman66 pointed it out to me....I think it is probably the worst worded policy that MS have....... completely misleading :)
Hey Hey Now i am famous on your site! Although, it was Netman who showed me.
I am a frequent visitor by the way, very impressive site
james
I am a frequent visitor by the way, very impressive site
james
Thanks James. I just wish the site would make some money so I could retire. Email me if you want to contribute to the site.
Brian
Brian
Did I hear my name? :o)
All credit where credit due!
Your integrity and honesty never cease to impress me James!
@Brian - nice site bud! Very clean. Now you just need some traffic. Email me and we'll talk. It's my alias here at gmail.
@Brian - nice site bud! Very clean. Now you just need some traffic. Email me and we'll talk. It's my alias here at gmail.
does anyone have the link posted above?
If it was the link to the AdminPrep article you can find it here - http://msmvps.com/blogs/ad/archive/2006/07/28/enable-remote-desktop-through-a-script.aspx
Brian
Brian
awesome thanks