Sign in with
Sign up | Sign in
Your question

GPO for Remote Desktop and Firewall Settings

Last response: in Windows 2000/NT
Share
Anonymous
July 21, 2005 3:24:02 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hello, I am attempting to get the Remote Desktop feature to work.

I have a GPO that is doing some of the following according to the GPO Results
I have pasted below the settings that were applied. On the client I am
seeing the Remote assistance and the 135 port enabled, via a policy, but what
I do not see happen is the enabling of the Remote Desktop. Thus I am getting
denied access, with the error related to the system not being available.

I must have missed something obvious, but basically I am looking to enable
the remote desktop feature in which I would initiate the connection and the
user could say yes or no...rather than the user asking me for
assistance...i'll cross that bridge when I get there...

Any ideas? Thanks
J


___________________________________________________________________
Offer Remote Assistance Enabled Level 2 - Lockdown
Permit remote control of this computer: Allow helpers to remotely control
the computer
Helpers:
DOMAIN\Domain Admins
DOMAIN\User One
DOMAIN\User Two
User Three
DOMAIN\User Four
___________________________________________________________________

Also I have these settings according to what I could find to enable the
firewall to allow remote assistance
___________________________________________________________________

Software\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\135:TCP:192.168.1.0/24:enabled:Remote Assistance

Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%WINDIR%\System32\Sessmgr.exe:192.168.1.0/24:Remote Assistance

Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%WINDIR%\System32\Sessmgr.exe:192.168.1.0/24:Remote Assistance

Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%WINDIR%\PCHealth\HelpCtr\Binaries\HelpCtr.exe:Remote Assitance

___________________________________________________________________
Anonymous
July 22, 2005 2:40:08 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Smurfman,

I have the same opinion with Denis, you can check the following articles to
enable to the remote desktop policy:

Using Group Policy with Remote Desktop
http://www.microsoft.com/resources/documentation/Window...
/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/pree_r
em_uvnl.asp

Enable or disable Remote Desktop
http://www.microsoft.com/technet/prodtechnol/windowsser...
rHelp/1e4a44de-2be1-4d29-9387-9f04b79cc17a.mspx

If the issue persists, please run "rsop.msc" on teh problematic XP pro and
send it to v-rebc@microsoft.com for resaerch.


Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>Thread-Topic: GPO for Remote Desktop and Firewall Settings
>thread-index: AcWOIV5PkrG692VVRcGMXwfC/xNOtA==
>X-WBNR-Posting-Host: 209.217.222.70
>From: "=?Utf-8?B?U211cmZtYW4=?=" <smurfman@news.postalias>
>Subject: GPO for Remote Desktop and Firewall Settings
>Date: Thu, 21 Jul 2005 11:24:02 -0700
>Lines: 46
>Message-ID: <188C662C-7D06-46E6-A515-160FD000E871@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.win2000.group_policy
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.group_policy:11795
>X-Tomcat-NG: microsoft.public.win2000.group_policy
>
>Hello, I am attempting to get the Remote Desktop feature to work.
>
>I have a GPO that is doing some of the following according to the GPO
Results
>I have pasted below the settings that were applied. On the client I am
>seeing the Remote assistance and the 135 port enabled, via a policy, but
what
>I do not see happen is the enabling of the Remote Desktop. Thus I am
getting
>denied access, with the error related to the system not being available.
>
>I must have missed something obvious, but basically I am looking to enable
>the remote desktop feature in which I would initiate the connection and
the
>user could say yes or no...rather than the user asking me for
>assistance...i'll cross that bridge when I get there...
>
>Any ideas? Thanks
>J
>
>
>___________________________________________________________________
>Offer Remote Assistance Enabled Level 2 - Lockdown
>Permit remote control of this computer: Allow helpers to remotely control
>the computer
>Helpers:
>DOMAIN\Domain Admins
>DOMAIN\User One
>DOMAIN\User Two
>User Three
>DOMAIN\User Four
>___________________________________________________________________
>
>Also I have these settings according to what I could find to enable the
>firewall to allow remote assistance
>___________________________________________________________________
>
Software\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\
List\135:TCP:192.168.1.0/24:enabled:Remote Assistance
>
Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplicat
ions\List\%WINDIR%\System32\Sessmgr.exe:192.168.1.0/24:Remote Assistance
>
Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplicat
ions\List\%WINDIR%\System32\Sessmgr.exe:192.168.1.0/24:Remote Assistance
>
Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplicat
ions\List\%WINDIR%\PCHealth\HelpCtr\Binaries\HelpCtr.exe:Remote Assitance
>
>___________________________________________________________________
>
>
>
>
>
Anonymous
July 22, 2005 3:43:11 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

Have you set this?

Comp Config\Administrative Templates\Network\Network Connections\Windows
Firewall\Domain Profile\Windows Firewall: Allow Remote Desktop exception

At least Microsoft Windows XP Professional with SP2

"Allows this computer to receive Remote Desktop requests. To do this,
Windows Firewall opens TCP port 3389. If you enable this policy setting,
Windows Firewall opens this port so that this computer can receive Remote
Desktop requests. You must specify the IP addresses or subnets from which
these incoming messages are allowed. In the Windows Firewall component of
Control Panel, the Remote Desktop check box is selected and administrators
cannot clear it. If you disable this policy setting, Windows Firewall
blocks this port, which prevents this computer from receiving Remote Desktop
requests. If an administrator attempts to open this port by adding it to a
local port exceptions list, Windows Firewall does not open the port. In the
Windows Firewall component of Control Panel, the Remote Desktop check box is
cleared and administrators cannot select it. If you do not configure this
policy setting, Windows Firewall does not open this port. Therefore, the
computer cannot receive Remote Desktop requests unless an administrator uses
other policy settings to open the port. In the Windows Firewall component of
Control Panel, the Remote Desktop check box is cleared. Administrators can
change this check box."

br,
Denis

"Smurfman" <smurfman@news.postalias> wrote in message
news:188C662C-7D06-46E6-A515-160FD000E871@microsoft.com...
> Hello, I am attempting to get the Remote Desktop feature to work.
>
> I have a GPO that is doing some of the following according to the GPO
Results
> I have pasted below the settings that were applied. On the client I am
> seeing the Remote assistance and the 135 port enabled, via a policy, but
what
> I do not see happen is the enabling of the Remote Desktop. Thus I am
getting
> denied access, with the error related to the system not being available.
>
> I must have missed something obvious, but basically I am looking to enable
> the remote desktop feature in which I would initiate the connection and
the
> user could say yes or no...rather than the user asking me for
> assistance...i'll cross that bridge when I get there...
>
> Any ideas? Thanks
> J
>
>
> ___________________________________________________________________
> Offer Remote Assistance Enabled Level 2 - Lockdown
> Permit remote control of this computer: Allow helpers to remotely control
> the computer
> Helpers:
> DOMAIN\Domain Admins
> DOMAIN\User One
> DOMAIN\User Two
> User Three
> DOMAIN\User Four
> ___________________________________________________________________
>
> Also I have these settings according to what I could find to enable the
> firewall to allow remote assistance
> ___________________________________________________________________
>
>
Software\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\
List\135:TCP:192.168.1.0/24:enabled:Remote Assistance
>
>
Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplicat
ions\List\%WINDIR%\System32\Sessmgr.exe:192.168.1.0/24:Remote Assistance
>
>
Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplicat
ions\List\%WINDIR%\System32\Sessmgr.exe:192.168.1.0/24:Remote Assistance
>
>
Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplicat
ions\List\%WINDIR%\PCHealth\HelpCtr\Binaries\HelpCtr.exe:Remote Assitance
>
> ___________________________________________________________________
>
>
>
>
Related resources
Anonymous
July 22, 2005 3:43:12 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks guys, in answer to your post Denis, I think I have it set correctly...
pasted below is the settings as shown in the GPO Edit, thanks.

J
____________________________________________________________________
Windows Firewall: Allow remote administration exception Enabled
Allow unsolicited incoming messages from: localsubnet

Syntax:
Type "*" to allow messages from any network, or
else type a comma-separated list that contains
any number or combination of these:
IP addresses, such as 10.0.0.1
Subnet descriptions, such as 10.2.3.0/24
The string "localsubnet"
Example: to allow messages from 10.0.0.1,
10.0.0.2, and from any system on the
local subnet or on the 10.3.4.x subnet,
type the following:
10.0.0.1,10.0.0.2,localsubnet,10.3.4.0/24
____________________________________________________________________



"Denis Wong @ Hong Kong" wrote:

> Hi,
>
> Have you set this?
>
> Comp Config\Administrative Templates\Network\Network Connections\Windows
> Firewall\Domain Profile\Windows Firewall: Allow Remote Desktop exception
>
> At least Microsoft Windows XP Professional with SP2
>
> "Allows this computer to receive Remote Desktop requests. To do this,
> Windows Firewall opens TCP port 3389. If you enable this policy setting,
> Windows Firewall opens this port so that this computer can receive Remote
> Desktop requests. You must specify the IP addresses or subnets from which
> these incoming messages are allowed. In the Windows Firewall component of
> Control Panel, the Remote Desktop check box is selected and administrators
> cannot clear it. If you disable this policy setting, Windows Firewall
> blocks this port, which prevents this computer from receiving Remote Desktop
> requests. If an administrator attempts to open this port by adding it to a
> local port exceptions list, Windows Firewall does not open the port. In the
> Windows Firewall component of Control Panel, the Remote Desktop check box is
> cleared and administrators cannot select it. If you do not configure this
> policy setting, Windows Firewall does not open this port. Therefore, the
> computer cannot receive Remote Desktop requests unless an administrator uses
> other policy settings to open the port. In the Windows Firewall component of
> Control Panel, the Remote Desktop check box is cleared. Administrators can
> change this check box."
>
> br,
> Denis
>
> "Smurfman" <smurfman@news.postalias> wrote in message
> news:188C662C-7D06-46E6-A515-160FD000E871@microsoft.com...
> > Hello, I am attempting to get the Remote Desktop feature to work.
> >
> > I have a GPO that is doing some of the following according to the GPO
> Results
> > I have pasted below the settings that were applied. On the client I am
> > seeing the Remote assistance and the 135 port enabled, via a policy, but
> what
> > I do not see happen is the enabling of the Remote Desktop. Thus I am
> getting
> > denied access, with the error related to the system not being available.
> >
> > I must have missed something obvious, but basically I am looking to enable
> > the remote desktop feature in which I would initiate the connection and
> the
> > user could say yes or no...rather than the user asking me for
> > assistance...i'll cross that bridge when I get there...
> >
> > Any ideas? Thanks
> > J
> >
> >
> > ___________________________________________________________________
> > Offer Remote Assistance Enabled Level 2 - Lockdown
> > Permit remote control of this computer: Allow helpers to remotely control
> > the computer
> > Helpers:
> > DOMAIN\Domain Admins
> > DOMAIN\User One
> > DOMAIN\User Two
> > User Three
> > DOMAIN\User Four
> > ___________________________________________________________________
> >
> > Also I have these settings according to what I could find to enable the
> > firewall to allow remote assistance
> > ___________________________________________________________________
> >
> >
> Software\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\
> List\135:TCP:192.168.1.0/24:enabled:Remote Assistance
> >
> >
> Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplicat
> ions\List\%WINDIR%\System32\Sessmgr.exe:192.168.1.0/24:Remote Assistance
> >
> >
> Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplicat
> ions\List\%WINDIR%\System32\Sessmgr.exe:192.168.1.0/24:Remote Assistance
> >
> >
> Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplicat
> ions\List\%WINDIR%\PCHealth\HelpCtr\Binaries\HelpCtr.exe:Remote Assitance
> >
> > ___________________________________________________________________
> >
> >
> >
> >
>
>
>
Anonymous
July 22, 2005 5:00:14 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Remote Desktop has to be enabled on the target computer and appropriate user
accounts (or groups) authorized. This is independant of any Firewall
settings (well, you have to also make the appropriate firewall exceptions -
looks like you have that in hand) and also independant of Remote Assistance.
These settings will work with computers running Windows 2000 SP2 or later,
Windows XP (any SP) and Windows 2003 Server.

To enable Remote Desktop via GPO:
Computer Configuration
Windows Settings
Security Settings
Local Policies
User Rights Assignment
Allow log on through Terminal Services - specify the users
accounts or groups that you want to be able to use Remote Desktop
Administrative Templates
Windows Components
Terminal Services
Allow users to connect remotely using Terminal Services

Make sure that the target computers are actually using the Domain Firewall
Profile and your exceptions via GPO are actually applied:
netsh firewall show state

If you think the firewall is blocking the Remote Desktop, turn on the
firewall logging (Firewall configuration, Advanced tab, Security Logging,
Log dropped packets).

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Smurfman" <smurfman@news.postalias> wrote in message
news:1A67FEC2-9472-4B9E-AA13-221CA631A494@microsoft.com...
> Thanks guys, in answer to your post Denis, I think I have it set
> correctly...
> pasted below is the settings as shown in the GPO Edit, thanks.
>
> J
> ____________________________________________________________________
> Windows Firewall: Allow remote administration exception Enabled
> Allow unsolicited incoming messages from: localsubnet
>
> Syntax:
> Type "*" to allow messages from any network, or
> else type a comma-separated list that contains
> any number or combination of these:
> IP addresses, such as 10.0.0.1
> Subnet descriptions, such as 10.2.3.0/24
> The string "localsubnet"
> Example: to allow messages from 10.0.0.1,
> 10.0.0.2, and from any system on the
> local subnet or on the 10.3.4.x subnet,
> type the following:
> 10.0.0.1,10.0.0.2,localsubnet,10.3.4.0/24
> ____________________________________________________________________
>
>
>
> "Denis Wong @ Hong Kong" wrote:
>
>> Hi,
>>
>> Have you set this?
>>
>> Comp Config\Administrative Templates\Network\Network Connections\Windows
>> Firewall\Domain Profile\Windows Firewall: Allow Remote Desktop exception
>>
>> At least Microsoft Windows XP Professional with SP2
>>
>> "Allows this computer to receive Remote Desktop requests. To do this,
>> Windows Firewall opens TCP port 3389. If you enable this policy
>> setting,
>> Windows Firewall opens this port so that this computer can receive Remote
>> Desktop requests. You must specify the IP addresses or subnets from which
>> these incoming messages are allowed. In the Windows Firewall component of
>> Control Panel, the Remote Desktop check box is selected and
>> administrators
>> cannot clear it. If you disable this policy setting, Windows Firewall
>> blocks this port, which prevents this computer from receiving Remote
>> Desktop
>> requests. If an administrator attempts to open this port by adding it to
>> a
>> local port exceptions list, Windows Firewall does not open the port. In
>> the
>> Windows Firewall component of Control Panel, the Remote Desktop check box
>> is
>> cleared and administrators cannot select it. If you do not configure
>> this
>> policy setting, Windows Firewall does not open this port. Therefore, the
>> computer cannot receive Remote Desktop requests unless an administrator
>> uses
>> other policy settings to open the port. In the Windows Firewall component
>> of
>> Control Panel, the Remote Desktop check box is cleared. Administrators
>> can
>> change this check box."
>>
>> br,
>> Denis
>>
>> "Smurfman" <smurfman@news.postalias> wrote in message
>> news:188C662C-7D06-46E6-A515-160FD000E871@microsoft.com...
>> > Hello, I am attempting to get the Remote Desktop feature to work.
>> >
>> > I have a GPO that is doing some of the following according to the GPO
>> Results
>> > I have pasted below the settings that were applied. On the client I am
>> > seeing the Remote assistance and the 135 port enabled, via a policy,
>> > but
>> what
>> > I do not see happen is the enabling of the Remote Desktop. Thus I am
>> getting
>> > denied access, with the error related to the system not being
>> > available.
>> >
>> > I must have missed something obvious, but basically I am looking to
>> > enable
>> > the remote desktop feature in which I would initiate the connection and
>> the
>> > user could say yes or no...rather than the user asking me for
>> > assistance...i'll cross that bridge when I get there...
>> >
>> > Any ideas? Thanks
>> > J
>> >
>> >
>> > ___________________________________________________________________
>> > Offer Remote Assistance Enabled Level 2 - Lockdown
>> > Permit remote control of this computer: Allow helpers to remotely
>> > control
>> > the computer
>> > Helpers:
>> > DOMAIN\Domain Admins
>> > DOMAIN\User One
>> > DOMAIN\User Two
>> > User Three
>> > DOMAIN\User Four
>> > ___________________________________________________________________
>> >
>> > Also I have these settings according to what I could find to enable the
>> > firewall to allow remote assistance
>> > ___________________________________________________________________
>> >
>> >
>> Software\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\
>> List\135:TCP:192.168.1.0/24:enabled:Remote Assistance
>> >
>> >
>> Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplicat
>> ions\List\%WINDIR%\System32\Sessmgr.exe:192.168.1.0/24:Remote Assistance
>> >
>> >
>> Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplicat
>> ions\List\%WINDIR%\System32\Sessmgr.exe:192.168.1.0/24:Remote Assistance
>> >
>> >
>> Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplicat
>> ions\List\%WINDIR%\PCHealth\HelpCtr\Binaries\HelpCtr.exe:Remote Assitance
>> >
>> > ___________________________________________________________________
>> >
>> >
>> >
>> >
>>
>>
>>
!