benleicester
asked on
Terminal Services - remote control sessions from client machine?
Hello,
I have a smallish network with an SBS2003 box and a seperate Win2k3 server running Terminal Services. I wish to allow one staff member to remote control other users TS sessions, which she can do from the SBS2003 box via the Terminal Services MMC, but I don't really want to give her access to the main server.
Is it possible to put the MMC on her client PC? If so, how, and also, what rights will I have to give her to allow her to access this but not have other admin rights on the domain?
500 points for a step by step answer!
Many Thanks
I have a smallish network with an SBS2003 box and a seperate Win2k3 server running Terminal Services. I wish to allow one staff member to remote control other users TS sessions, which she can do from the SBS2003 box via the Terminal Services MMC, but I don't really want to give her access to the main server.
Is it possible to put the MMC on her client PC? If so, how, and also, what rights will I have to give her to allow her to access this but not have other admin rights on the domain?
500 points for a step by step answer!
Many Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm not understanding why this would prevent you from doing what I suggested. What is your lockdown scenario and what do you mean by "loopback processing"? Are you saying that anyone, including administrators, who logs on to that terminal server has limited access? I was assuming that by giving her administrative-level access to the terminal server, you would be bypassing any limited security scenario. I'm assuming that the TS is not a domain controller but a member server, so this would not give her access at the domain administrative level. You understand, I hope, that by logging on to the remote console, she is in remote administration mode on the terminal server as if she was sitting physically at the server and logging on with administrative rights. I don't know of any other way to get direct remote control of a terminal session other than logging on to the terminal server via the console.
You could use another remote control software, such as Real VNC, pcAnywhere, etc., to connect to the PC that is running the remote desktop session. However, that requires the installation of software on both PC's (the one doing the controlling and the one being controlled). Maybe that would work better in your scenario though, depending on where the remote users are connecting from.
Deb
You could use another remote control software, such as Real VNC, pcAnywhere, etc., to connect to the PC that is running the remote desktop session. However, that requires the installation of software on both PC's (the one doing the controlling and the one being controlled). Maybe that would work better in your scenario though, depending on where the remote users are connecting from.
Deb
ASKER
Hello,
Yes, that does mean administrators have limited access on the TS, when making changes I have to either switch off the GPO or move the server out of the lockdown OU.
Loopback pocessing basically means anyone logging onto that Terminal Server is affected by the lockdown policy regrdless of where their own account sits in AD - I have set it up this way as per the recommendations in this white paper: http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx
Thanks for your help - any other suggestions from anyone (taking into account having the lockdown working the way it is currently works for us and we would like to leave it that way round.)
Many Thanks
Yes, that does mean administrators have limited access on the TS, when making changes I have to either switch off the GPO or move the server out of the lockdown OU.
Loopback pocessing basically means anyone logging onto that Terminal Server is affected by the lockdown policy regrdless of where their own account sits in AD - I have set it up this way as per the recommendations in this white paper: http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx
Thanks for your help - any other suggestions from anyone (taking into account having the lockdown working the way it is currently works for us and we would like to leave it that way round.)
Many Thanks
Thanks for the article link - that's one I hadn't looked at. I can see what you've done and that would definitely prevent the scenario I suggested. Again, the only other option I see is to use some 3rd party remote control software and connect to the client rather than the server.
Deb
Deb
ASKER
If I installed the MMC on the users client machine, would the remote control option be greyed out? Just wondered because it seems we can remote control the sessions from the SBS server..
install adminpac.msi on her machine it will install the admin tools on her machine and then assign her the rights to be able to remote control the sessions
i think this is in the uer rights for the local server somewhere
i think this is in the uer rights for the local server somewhere
ASKER
Thanks for your response, but I dont think it will work in my scenario. I have a lockdown GPO with loopback processing which the server itself belongs to - I have done it this way around to ensure everyone using the Terminal Server has the same lockdown, and users who also have a normal PC on the domain are not affected by it. i.e. regular domain users don't need a second user account just for TS.
ANy other ideas?
Many Thanks