XP Remote Desktop - Limited Account vs Administrator Account

Malice

Distinguished
Mar 22, 2005
13
0
18,510
Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Hi,

Can anyone confirm whether my symptoms are "by design" or that I have
overlooked something?

I oversee my son's PC with XP PRo. I have XP Pro. Both PC's have each
other's user accounts defined on each other. Access to each others
files/folders is fine. I don't know if its significant or not, but the
PC is set up for fast user switching.

I set up a Group Policy on my sons PC to enable accept remote logon
terminal connections. I think this both ticks and greys out the Remote
Desktop check box on the Remote tab in My Computer Properties.

I find that I can only attach to the remote PC if the login name I am
using on my sons PC is an administrator account. Obviously I want to
have my son as a limited user, but this prevents me logging in on his
account to carry out "housekeeping" tasks and testing.

I checked this by changing his account to Administrator and then the
remote login on his account worked fine. Changed him to Limited (using
my admin login) and remote desktop fails with a message that local
security prevents logon.


Is this by design? OR have I missed something?

If so it's highly irritating!!

TIA

Mal
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

You have to be either an Administrator or a member of the Remote Desktop Users Group.

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/pree_rem_hzcq.asp

Personally I normally run as a Limited user and just added my name to the Remote Desktop Users
Group. That way I can RD into my home PC and run my normal desktop.

The Remote Assistance and Remote Desktop checkboxes are grayed out if you logon as a Limited
user...They can only be controlled by an Administrator...

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

"Malice" <malice@tembo-x-graphics.com> wrote in message news:QKSdndpTe7PQwd3fRVnyhQ@pipex.net...
> Hi,
>
> Can anyone confirm whether my symptoms are "by design" or that I have overlooked something?
>
> I oversee my son's PC with XP PRo. I have XP Pro. Both PC's have each other's user accounts
> defined on each other. Access to each others files/folders is fine. I don't know if its
> significant or not, but the PC is set up for fast user switching.
>
> I set up a Group Policy on my sons PC to enable accept remote logon terminal connections. I think
> this both ticks and greys out the Remote Desktop check box on the Remote tab in My Computer
> Properties.
>
> I find that I can only attach to the remote PC if the login name I am using on my sons PC is an
> administrator account. Obviously I want to have my son as a limited user, but this prevents me
> logging in on his account to carry out "housekeeping" tasks and testing.
>
> I checked this by changing his account to Administrator and then the remote login on his account
> worked fine. Changed him to Limited (using my admin login) and remote desktop fails with a
> message that local security prevents logon.
>
>
> Is this by design? OR have I missed something?
>
> If so it's highly irritating!!
>
> TIA
>
> Mal
 

Malice

Distinguished
Mar 22, 2005
13
0
18,510
Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Sooner Al [MVP] wrote:
> You have to be either an Administrator or a member of the Remote Desktop
> Users Group.
>
> http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/pree_rem_hzcq.asp
>
>
> Personally I normally run as a Limited user and just added my name to
> the Remote Desktop Users Group. That way I can RD into my home PC and
> run my normal desktop.
>
> The Remote Assistance and Remote Desktop checkboxes are grayed out if
> you logon as a Limited user...They can only be controlled by an
> Administrator...
>

(1) The greyed out boxes are there because of Group Policy changes.
Signing on locally with Admin rights still have the boxes greyed out
(and ticked for the Remote Desktop). I checked this by undoing the
Group Policy and the boxes returned to normal. Limited
USer/Administrator have no effect if a Group Policy is in place.

(2) The Add users appears to only allow me to select local users to the
PC I want to connect to. I cannot browse and specify a \\My_PC_Name\Me
type of entry. It refuses to recognise it. If I add my already
existing name (admin rights) on the remote PC to the Remote Users box
for the limited user, I cannot connect on that Limited Account.
Security policy refuses to let me connect. I can only connect if the
login account has Admin rights. Of course it being a home LAN I do not
run a domain server set up.

I'll revisit the settings to see if I've missed something, but I don't
think I have.



Mal
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

What group policies are you enabling and why? The only group policies for Remote Desktop/Terminal
Services that I set on my XP Pro PC are...

Disable the rendering of desktop wallpaper to remote clients
Always prompt for a password
Use High encryption versus Client Compatible

In my case I normally run as a Limited user named Al. I have a special "Root" user with
administrator rights to do admin tasks from FUS if needed or I "Run as"...

You add the local user, ie. your son's name, to the Remote Desktop Users Group on his machine, its a
local user in a work group environment. That does not give him administrator rights. It only allows
that particular user to login via Remote Desktop.

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

"Malice" <malice@tembo-x-graphics.com> wrote in message news:hIqdneDiBt6_M93fRVnyhg@pipex.net...
> Sooner Al [MVP] wrote:
>> You have to be either an Administrator or a member of the Remote Desktop Users Group.
>>
>> http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/pree_rem_hzcq.asp
>> Personally I normally run as a Limited user and just added my name to the Remote Desktop Users
>> Group. That way I can RD into my home PC and run my normal desktop.
>>
>> The Remote Assistance and Remote Desktop checkboxes are grayed out if you logon as a Limited
>> user...They can only be controlled by an Administrator...
>>
>
> (1) The greyed out boxes are there because of Group Policy changes. Signing on locally with Admin
> rights still have the boxes greyed out (and ticked for the Remote Desktop). I checked this by
> undoing the Group Policy and the boxes returned to normal. Limited USer/Administrator have no
> effect if a Group Policy is in place.
>
> (2) The Add users appears to only allow me to select local users to the PC I want to connect to.
> I cannot browse and specify a \\My_PC_Name\Me type of entry. It refuses to recognise it. If I
> add my already existing name (admin rights) on the remote PC to the Remote Users box for the
> limited user, I cannot connect on that Limited Account. Security policy refuses to let me connect.
> I can only connect if the login account has Admin rights. Of course it being a home LAN I do not
> run a domain server set up.
>
> I'll revisit the settings to see if I've missed something, but I don't think I have.
>
>
>
> Mal
>
 

Malice

Distinguished
Mar 22, 2005
13
0
18,510
Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Sooner Al [MVP] wrote:
> What group policies are you enabling and why? The only group policies
> for Remote Desktop/Terminal Services that I set on my XP Pro PC are...
>
> Disable the rendering of desktop wallpaper to remote clients
> Always prompt for a password
> Use High encryption versus Client Compatible

Computer Configuration : Administrative Templates : Windows Components :
Terminal Services : Allow users to connect remotely using Terminal Services.


"Specifies whether to allow users to connect remotely using Terminal
Services.

You can use this setting to configure Terminal Services remote access
for the target computers.

If the status is set to Enabled, users can connect to the target
computers remotely using Terminal Services. You can limit the number of
users who can connect simultaneously by configuring the "Limit number of
connections" setting or the "Maximum Connections" option on the Network
Adapter tab in the Terminal Services Configuration tool.

If the status is set to Disabled, the target computers maintain current
connections, but will not accept any new incoming connections.

If the status is set to Not Configured, Terminal Services uses the
"Allow users to connect remotely to your computer" option on the target
computer to determine whether remote connection is allowed. This option
is found on the Remote tab in System Properties."

If this is enabled the boxes are greyed out and no user, even
administrator, is able to change the setting: only changing the Policy
will do this.

Why do I want this? Because for a user with Admin rights I do not want
them to be able to deselect the option to allow remote connection. It's
a pity that setting this Policy does not prevent the user with admin
rights from amending/removing the list of remote users in the list. If
the list is empty the log-in-remotely user account has to be an
administrator for remote connection to work, otherwise its refused.


>
> In my case I normally run as a Limited user named Al. I have a special
> "Root" user with administrator rights to do admin tasks from FUS if
> needed or I "Run as"...
>
> You add the local user, ie. your son's name, to the Remote Desktop Users
> Group on his machine, its a local user in a work group environment. That
> does not give him administrator rights. It only allows that particular
> user to login via Remote Desktop.
>

Ahhh!! That worked. So in this instance I was able to change the user
to Limited which meant my son's login is unable to change remote
settings anyway, but as his name was in the remote user list I was able
to remotely connect using his sign on.

But I know from previous experience, a limited user account give him
problems with certain games and installing games. Ideally I'd like to
give him restricted Admin rights. I have gone some way to achieving
this by setting permissions on say Control Panel Applets (User Accounts)
that only my sign on has access rights to read/execute. I then have
used a Group Policy to disable the Securities tab so that he cannot take
ownership and reset any permissions on any object. A bit long winded
and tortuous, but hopefully a one time task.

Thanks for your pointer though. I have an idea how to prevent him from
changing the Remote Users list. THe Registry key:

HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names holds the list
of remote users. If I change the permissions to read only I may be able
to grant Admin rights but prevent deletion of his name in the list!
That with the group policy restriction on being unable to deselect
Remote Desktop feature will be as water tight as I can make it!

Mal
 

Malice

Distinguished
Mar 22, 2005
13
0
18,510
Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Malice wrote:

> Thanks for your pointer though. I have an idea how to prevent him from
> changing the Remote Users list. THe Registry key:
>
> HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names holds the list
> of remote users. If I change the permissions to read only I may be able
> to grant Admin rights but prevent deletion of his name in the list! That
> with the group policy restriction on being unable to deselect Remote
> Desktop feature will be as water tight as I can make it!
>
> Mal

Nope that's not the Key. The list is not held in the Registry. If I
knew where it was held I could change permissions on the file itself.

Anyone know where the Remote Desktop USer list is stored?

Mal
 

Malice

Distinguished
Mar 22, 2005
13
0
18,510
Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Malice wrote:
> Malice wrote:
>
>> Thanks for your pointer though. I have an idea how to prevent him
>> from changing the Remote Users list. THe Registry key:
>>
>> HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names holds the list
>> of remote users. If I change the permissions to read only I may be
>> able to grant Admin rights but prevent deletion of his name in the
>> list! That with the group policy restriction on being unable to
>> deselect Remote Desktop feature will be as water tight as I can make it!
>>
>> Mal
>
>
> Nope that's not the Key. The list is not held in the Registry. If I
> knew where it was held I could change permissions on the file itself.
>
> Anyone know where the Remote Desktop USer list is stored?
>
> Mal
Anyone?
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Could you use group policy to enforce membership of the Remote Users group
using the "Restricted Groups" setting?


Regards,
Brian

"Malice" <malice@tembo-x-graphics.com> wrote in message
news:ipidnbXKE8fGkdHfRVnyvA@pipex.net...
> Malice wrote:
>> Malice wrote:
>>
>>> Thanks for your pointer though. I have an idea how to prevent him from
>>> changing the Remote Users list. THe Registry key:
>>>
>>> HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names holds the list
>>> of remote users. If I change the permissions to read only I may be able
>>> to grant Admin rights but prevent deletion of his name in the list! That
>>> with the group policy restriction on being unable to deselect Remote
>>> Desktop feature will be as water tight as I can make it!
>>>
>>> Mal
>>
>>
>> Nope that's not the Key. The list is not held in the Registry. If I
>> knew where it was held I could change permissions on the file itself.
>>
>> Anyone know where the Remote Desktop USer list is stored?
>>
>> Mal
> Anyone?