XP Remote Desktop - Limited Account vs Administrator Account

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Hi,

Can anyone confirm whether my symptoms are "by design" or that I have
overlooked something?

I oversee my son's PC with XP PRo. I have XP Pro. Both PC's have each
other's user accounts defined on each other. Access to each others
files/folders is fine. I don't know if its significant or not, but the
PC is set up for fast user switching.

I set up a Group Policy on my sons PC to enable accept remote logon
terminal connections. I think this both ticks and greys out the Remote
Desktop check box on the Remote tab in My Computer Properties.

I find that I can only attach to the remote PC if the login name I am
using on my sons PC is an administrator account. Obviously I want to
have my son as a limited user, but this prevents me logging in on his
account to carry out "housekeeping" tasks and testing.

I checked this by changing his account to Administrator and then the
remote login on his account worked fine. Changed him to Limited (using
my admin login) and remote desktop fails with a message that local
security prevents logon.


Is this by design? OR have I missed something?

If so it's highly irritating!!

TIA

Mal
7 answers Last reply
More about remote desktop limited account administrator account
  1. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    You have to be either an Administrator or a member of the Remote Desktop Users Group.

    http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/pree_rem_hzcq.asp

    Personally I normally run as a Limited user and just added my name to the Remote Desktop Users
    Group. That way I can RD into my home PC and run my normal desktop.

    The Remote Assistance and Remote Desktop checkboxes are grayed out if you logon as a Limited
    user...They can only be controlled by an Administrator...

    --
    Al Jarvi (MS-MVP Windows Networking)

    Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
    The MS-MVP Program - http://mvp.support.microsoft.com
    This posting is provided "AS IS" with no warranties, and confers no rights...

    "Malice" <malice@tembo-x-graphics.com> wrote in message news:QKSdndpTe7PQwd3fRVnyhQ@pipex.net...
    > Hi,
    >
    > Can anyone confirm whether my symptoms are "by design" or that I have overlooked something?
    >
    > I oversee my son's PC with XP PRo. I have XP Pro. Both PC's have each other's user accounts
    > defined on each other. Access to each others files/folders is fine. I don't know if its
    > significant or not, but the PC is set up for fast user switching.
    >
    > I set up a Group Policy on my sons PC to enable accept remote logon terminal connections. I think
    > this both ticks and greys out the Remote Desktop check box on the Remote tab in My Computer
    > Properties.
    >
    > I find that I can only attach to the remote PC if the login name I am using on my sons PC is an
    > administrator account. Obviously I want to have my son as a limited user, but this prevents me
    > logging in on his account to carry out "housekeeping" tasks and testing.
    >
    > I checked this by changing his account to Administrator and then the remote login on his account
    > worked fine. Changed him to Limited (using my admin login) and remote desktop fails with a
    > message that local security prevents logon.
    >
    >
    > Is this by design? OR have I missed something?
    >
    > If so it's highly irritating!!
    >
    > TIA
    >
    > Mal
  2. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Sooner Al [MVP] wrote:
    > You have to be either an Administrator or a member of the Remote Desktop
    > Users Group.
    >
    > http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/pree_rem_hzcq.asp
    >
    >
    > Personally I normally run as a Limited user and just added my name to
    > the Remote Desktop Users Group. That way I can RD into my home PC and
    > run my normal desktop.
    >
    > The Remote Assistance and Remote Desktop checkboxes are grayed out if
    > you logon as a Limited user...They can only be controlled by an
    > Administrator...
    >

    (1) The greyed out boxes are there because of Group Policy changes.
    Signing on locally with Admin rights still have the boxes greyed out
    (and ticked for the Remote Desktop). I checked this by undoing the
    Group Policy and the boxes returned to normal. Limited
    USer/Administrator have no effect if a Group Policy is in place.

    (2) The Add users appears to only allow me to select local users to the
    PC I want to connect to. I cannot browse and specify a \\My_PC_Name\Me
    type of entry. It refuses to recognise it. If I add my already
    existing name (admin rights) on the remote PC to the Remote Users box
    for the limited user, I cannot connect on that Limited Account.
    Security policy refuses to let me connect. I can only connect if the
    login account has Admin rights. Of course it being a home LAN I do not
    run a domain server set up.

    I'll revisit the settings to see if I've missed something, but I don't
    think I have.


    Mal
  3. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    What group policies are you enabling and why? The only group policies for Remote Desktop/Terminal
    Services that I set on my XP Pro PC are...

    Disable the rendering of desktop wallpaper to remote clients
    Always prompt for a password
    Use High encryption versus Client Compatible

    In my case I normally run as a Limited user named Al. I have a special "Root" user with
    administrator rights to do admin tasks from FUS if needed or I "Run as"...

    You add the local user, ie. your son's name, to the Remote Desktop Users Group on his machine, its a
    local user in a work group environment. That does not give him administrator rights. It only allows
    that particular user to login via Remote Desktop.

    --
    Al Jarvi (MS-MVP Windows Networking)

    Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
    The MS-MVP Program - http://mvp.support.microsoft.com
    This posting is provided "AS IS" with no warranties, and confers no rights...

    "Malice" <malice@tembo-x-graphics.com> wrote in message news:hIqdneDiBt6_M93fRVnyhg@pipex.net...
    > Sooner Al [MVP] wrote:
    >> You have to be either an Administrator or a member of the Remote Desktop Users Group.
    >>
    >> http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/pree_rem_hzcq.asp
    >> Personally I normally run as a Limited user and just added my name to the Remote Desktop Users
    >> Group. That way I can RD into my home PC and run my normal desktop.
    >>
    >> The Remote Assistance and Remote Desktop checkboxes are grayed out if you logon as a Limited
    >> user...They can only be controlled by an Administrator...
    >>
    >
    > (1) The greyed out boxes are there because of Group Policy changes. Signing on locally with Admin
    > rights still have the boxes greyed out (and ticked for the Remote Desktop). I checked this by
    > undoing the Group Policy and the boxes returned to normal. Limited USer/Administrator have no
    > effect if a Group Policy is in place.
    >
    > (2) The Add users appears to only allow me to select local users to the PC I want to connect to.
    > I cannot browse and specify a \\My_PC_Name\Me type of entry. It refuses to recognise it. If I
    > add my already existing name (admin rights) on the remote PC to the Remote Users box for the
    > limited user, I cannot connect on that Limited Account. Security policy refuses to let me connect.
    > I can only connect if the login account has Admin rights. Of course it being a home LAN I do not
    > run a domain server set up.
    >
    > I'll revisit the settings to see if I've missed something, but I don't think I have.
    >
    >
    >
    > Mal
    >
  4. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Sooner Al [MVP] wrote:
    > What group policies are you enabling and why? The only group policies
    > for Remote Desktop/Terminal Services that I set on my XP Pro PC are...
    >
    > Disable the rendering of desktop wallpaper to remote clients
    > Always prompt for a password
    > Use High encryption versus Client Compatible

    Computer Configuration : Administrative Templates : Windows Components :
    Terminal Services : Allow users to connect remotely using Terminal Services.


    "Specifies whether to allow users to connect remotely using Terminal
    Services.

    You can use this setting to configure Terminal Services remote access
    for the target computers.

    If the status is set to Enabled, users can connect to the target
    computers remotely using Terminal Services. You can limit the number of
    users who can connect simultaneously by configuring the "Limit number of
    connections" setting or the "Maximum Connections" option on the Network
    Adapter tab in the Terminal Services Configuration tool.

    If the status is set to Disabled, the target computers maintain current
    connections, but will not accept any new incoming connections.

    If the status is set to Not Configured, Terminal Services uses the
    "Allow users to connect remotely to your computer" option on the target
    computer to determine whether remote connection is allowed. This option
    is found on the Remote tab in System Properties."

    If this is enabled the boxes are greyed out and no user, even
    administrator, is able to change the setting: only changing the Policy
    will do this.

    Why do I want this? Because for a user with Admin rights I do not want
    them to be able to deselect the option to allow remote connection. It's
    a pity that setting this Policy does not prevent the user with admin
    rights from amending/removing the list of remote users in the list. If
    the list is empty the log-in-remotely user account has to be an
    administrator for remote connection to work, otherwise its refused.


    >
    > In my case I normally run as a Limited user named Al. I have a special
    > "Root" user with administrator rights to do admin tasks from FUS if
    > needed or I "Run as"...
    >
    > You add the local user, ie. your son's name, to the Remote Desktop Users
    > Group on his machine, its a local user in a work group environment. That
    > does not give him administrator rights. It only allows that particular
    > user to login via Remote Desktop.
    >

    Ahhh!! That worked. So in this instance I was able to change the user
    to Limited which meant my son's login is unable to change remote
    settings anyway, but as his name was in the remote user list I was able
    to remotely connect using his sign on.

    But I know from previous experience, a limited user account give him
    problems with certain games and installing games. Ideally I'd like to
    give him restricted Admin rights. I have gone some way to achieving
    this by setting permissions on say Control Panel Applets (User Accounts)
    that only my sign on has access rights to read/execute. I then have
    used a Group Policy to disable the Securities tab so that he cannot take
    ownership and reset any permissions on any object. A bit long winded
    and tortuous, but hopefully a one time task.

    Thanks for your pointer though. I have an idea how to prevent him from
    changing the Remote Users list. THe Registry key:

    HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names holds the list
    of remote users. If I change the permissions to read only I may be able
    to grant Admin rights but prevent deletion of his name in the list!
    That with the group policy restriction on being unable to deselect
    Remote Desktop feature will be as water tight as I can make it!

    Mal
  5. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Malice wrote:

    > Thanks for your pointer though. I have an idea how to prevent him from
    > changing the Remote Users list. THe Registry key:
    >
    > HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names holds the list
    > of remote users. If I change the permissions to read only I may be able
    > to grant Admin rights but prevent deletion of his name in the list! That
    > with the group policy restriction on being unable to deselect Remote
    > Desktop feature will be as water tight as I can make it!
    >
    > Mal

    Nope that's not the Key. The list is not held in the Registry. If I
    knew where it was held I could change permissions on the file itself.

    Anyone know where the Remote Desktop USer list is stored?

    Mal
  6. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Malice wrote:
    > Malice wrote:
    >
    >> Thanks for your pointer though. I have an idea how to prevent him
    >> from changing the Remote Users list. THe Registry key:
    >>
    >> HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names holds the list
    >> of remote users. If I change the permissions to read only I may be
    >> able to grant Admin rights but prevent deletion of his name in the
    >> list! That with the group policy restriction on being unable to
    >> deselect Remote Desktop feature will be as water tight as I can make it!
    >>
    >> Mal
    >
    >
    > Nope that's not the Key. The list is not held in the Registry. If I
    > knew where it was held I could change permissions on the file itself.
    >
    > Anyone know where the Remote Desktop USer list is stored?
    >
    > Mal
    Anyone?
  7. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Could you use group policy to enforce membership of the Remote Users group
    using the "Restricted Groups" setting?


    Regards,
    Brian

    "Malice" <malice@tembo-x-graphics.com> wrote in message
    news:ipidnbXKE8fGkdHfRVnyvA@pipex.net...
    > Malice wrote:
    >> Malice wrote:
    >>
    >>> Thanks for your pointer though. I have an idea how to prevent him from
    >>> changing the Remote Users list. THe Registry key:
    >>>
    >>> HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names holds the list
    >>> of remote users. If I change the permissions to read only I may be able
    >>> to grant Admin rights but prevent deletion of his name in the list! That
    >>> with the group policy restriction on being unable to deselect Remote
    >>> Desktop feature will be as water tight as I can make it!
    >>>
    >>> Mal
    >>
    >>
    >> Nope that's not the Key. The list is not held in the Registry. If I
    >> knew where it was held I could change permissions on the file itself.
    >>
    >> Anyone know where the Remote Desktop USer list is stored?
    >>
    >> Mal
    > Anyone?
Ask a new question

Read More

Windows XP