aysa_servicios
asked on
Remote Assistance & Administrator Rights & SMS2003
In my organization we are defining the security rights and we need groups which could connect to computers using remote assistance or remote tools in SMS 2003 without being an administrator in the target pc.
We have tried different configurations, using the group “Offer Remote Assistance Helpers” and nothing happened, it’s still asking for an account with administrator rights in the case of “Remote Tools” or giving an access error in the case of “Remote Assistance”.
Our environment consists in a Windows 2003 Active Directory and SMS 2003 as our patching and distribution utility.
Please let me know if you need any other relevant information to find the right answer.
Thank you in advance!
We have tried different configurations, using the group “Offer Remote Assistance Helpers” and nothing happened, it’s still asking for an account with administrator rights in the case of “Remote Tools” or giving an access error in the case of “Remote Assistance”.
Our environment consists in a Windows 2003 Active Directory and SMS 2003 as our patching and distribution utility.
Please let me know if you need any other relevant information to find the right answer.
Thank you in advance!
ASKER
That’s exactly what we have done but it doesn’t work if the users aren’t in the administrator group in the target PC.
Do does users or group have "use remote tools" rights on the colellections (e.g. all systems"?
http://technet.microsoft.com/en-us/library/bb694296.aspx
http://technet.microsoft.com/en-us/library/bb694296.aspx
ASKER
Yes they have, indeed my account is the SMS administrator with full access rights and if I am not added in the administrator group of the target pc it fails.
ASKER
We all also have the correct configuration in AD remote control settings.
SMS.JPG
SMS.JPG
ok can you check this articles:
http://support.microsoft.com/kb/259740/en-us
http://support.microsoft.com/kb/287710/en-us
http://support.microsoft.com/kb/259740/en-us
http://support.microsoft.com/kb/287710/en-us
ASKER
I have already checked those articles.
Maybe this will address your issue?
https://www.experts-exchange.com/questions/24338557/sccm-remote-control-prompting-for-credentials.html
https://www.experts-exchange.com/questions/24338557/sccm-remote-control-prompting-for-credentials.html
ASKER
I have already checked that article.
Could this kb http://support.microsoft.com/kb/308013 apply to SMS 2003 too? If this is correct there isn´t a way to connect without being a local administrator in the target pc.
Hope not.
Could this kb http://support.microsoft.com/kb/308013 apply to SMS 2003 too? If this is correct there isn´t a way to connect without being a local administrator in the target pc.
Hope not.
no i dont think so. on each article i found there was a note that no local admin permissons are required
ASKER
Could you tell me please where I could find that note?
Thank you in advance!
Thank you in advance!
"Local administrator rights are not required for a user to be able to use Remote Tools. If the collection and Permitted Viewers list security is met, the Remote Tools user can use Remote Tools on the client."
http://technet.microsoft.com/en-us/library/cc181468.aspx
http://technet.microsoft.com/en-us/library/cc181468.aspx
ASKER
Merowinger,
Thanks for your help, but I still can't connect to my clients.
I've done everything documentation says, permitted viewers, collection and remote tools security.
The domain user that I used for these tests cannot connect to the clients when I try to offer remote assistance through SMS 2003, it only works when I designate that domain user as local administrator for a particular client.
Is there anything else I’m missing? GPOs? Something in AD or a remote registry?
Sorry to bother, but this is a critical issue for me and my company.
Thanks for your help, but I still can't connect to my clients.
I've done everything documentation says, permitted viewers, collection and remote tools security.
The domain user that I used for these tests cannot connect to the clients when I try to offer remote assistance through SMS 2003, it only works when I designate that domain user as local administrator for a particular client.
Is there anything else I’m missing? GPOs? Something in AD or a remote registry?
Sorry to bother, but this is a critical issue for me and my company.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For this you have to enable Remote Tools on the SMS 2003 Clients.
SMS 2003 -> Site Settings -> Client Agents -> "Remote Tools Client
Agent" -> properties -> Enable
On the security-tab you can add permitted viewers e.g. an Active Directory Group which you've created.