Need to give NON-Admin ability to use TS Manager to Remote Contol others sessions

L

Leythos

I have a client that wants to give a non-admin the ability to remote
control other users terminal sessions via the TS Manager.

Any articles on how to setup a "Domain User" with such permission?

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
 
V

Vera Noest [MVP]

Modify the user's rights on the rdp-tcp connection. Applies to 2003
as well.

243554 - Explanation of RDP-TCP Permissions in Windows 2000
http://support.microsoft.com/?kbid=243554

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

Leythos <void@nowhere.lan> wrote on 21 jul 2008:

> I have a client that wants to give a non-admin the ability to
> remote control other users terminal sessions via the TS Manager.
>
> Any articles on how to setup a "Domain User" with such
> permission?
 
S

Soo Kuan Teo [MSFT]

Can you please share with us why do you want to let non-admin to remote
control other users?


--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message
news:Xns9AE2A3E61CF75veranoesthemutforsse@207.46.248.16...
> Modify the user's rights on the rdp-tcp connection. Applies to 2003
> as well.
>
> 243554 - Explanation of RDP-TCP Permissions in Windows 2000
> http://support.microsoft.com/?kbid=243554
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> *----------- Please reply in newsgroup -------------*
>
> Leythos <void@nowhere.lan> wrote on 21 jul 2008:
>
>> I have a client that wants to give a non-admin the ability to
>> remote control other users terminal sessions via the TS Manager.
>>
>> Any articles on how to setup a "Domain User" with such
>> permission?
 
J

Jeff Pitsch

Keep in mind this will give those users the ability to shadow EVERYBODY on
the system. It cannot be filtered.

Jeff Pitsch
Microsoft MVP - Terminal Services

"Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message
news:Xns9AE2A3E61CF75veranoesthemutforsse@207.46.248.16...
> Modify the user's rights on the rdp-tcp connection. Applies to 2003
> as well.
>
> 243554 - Explanation of RDP-TCP Permissions in Windows 2000
> http://support.microsoft.com/?kbid=243554
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> *----------- Please reply in newsgroup -------------*
>
> Leythos <void@nowhere.lan> wrote on 21 jul 2008:
>
>> I have a client that wants to give a non-admin the ability to
>> remote control other users terminal sessions via the TS Manager.
>>
>> Any articles on how to setup a "Domain User" with such
>> permission?
 
L

Leythos

In article <Xns9AE2A3E61CF75veranoesthemutforsse@207.46.248.16>,
Vera.Noest@remove-this.hem.utfors.se says...
> Modify the user's rights on the rdp-tcp connection. Applies to 2003
> as well.
>
> 243554 - Explanation of RDP-TCP Permissions in Windows 2000
> http://support.microsoft.com/?kbid=243554

Vera, I created a Security Group and added the users into it, gave them
same permissions as "Users" and added "Remote Control" permission and
they get a denied error when trying to Remote Control any other users
session... Any ideas?

Thanks.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
 
L

Leythos

In article <eZxns306IHA.5012@TK2MSFTNGP02.phx.gbl>,
jeff@jeffpitschconsulting.com says...
> Keep in mind this will give those users the ability to shadow EVERYBODY on
> the system. It cannot be filtered.

Yep, I know and I'm unable to stop it, the manager in charge wants this
function for a few users to help with problems and training and I have
no say in this.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
 
L

Leythos

In article <1216665643_198872@news.usenet.com>, void@nowhere.lan says...
> In article <Xns9AE2A3E61CF75veranoesthemutforsse@207.46.248.16>,
> Vera.Noest@remove-this.hem.utfors.se says...
> > Modify the user's rights on the rdp-tcp connection. Applies to 2003
> > as well.
> >
> > 243554 - Explanation of RDP-TCP Permissions in Windows 2000
> > http://support.microsoft.com/?kbid=243554
>
> Vera, I created a Security Group and added the users into it, gave them
> same permissions as "Users" and added "Remote Control" permission and
> they get a denied error when trying to Remote Control any other users
> session... Any ideas?

Ok, so I'm getting "Session (ID 6) Remote Control Failed Error 5 -
Access is Denied) from Terminal Services Manager when trying to control
a session for a test user.

On the "terminal server configuration" settings, I selected
"Connections" and then Selected "RDP-TCP" and then right click and
Properties, Permissions Tab, added the Security group I created for
users, it's got User/Guest selected, and then I did Advanced (for
special) and enabled Query, Remote Control, Logon, Message, Connect, all
others are unchecked - none are set to deny.

I've logged off as the two users - one the new Remote Control user and
the other a test generic user to take control of.

Logged back in a both, and get the access denied error.

I also tried setting the Security Group to FULL ACCESS and still get
access denied.

Any other ideas?

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
 
V

Vera Noest [MVP]

Leythos <void@nowhere.lan> wrote on 21 jul 2008 in
microsoft.public.windows.terminal_services:

> In article <1216665643_198872@news.usenet.com>, void@nowhere.lan
> says...
>> In article
>> <Xns9AE2A3E61CF75veranoesthemutforsse@207.46.248.16>,
>> Vera.Noest@remove-this.hem.utfors.se says...
>> > Modify the user's rights on the rdp-tcp connection. Applies
>> > to 2003 as well.
>> >
>> > 243554 - Explanation of RDP-TCP Permissions in Windows 2000
>> > http://support.microsoft.com/?kbid=243554
>>
>> Vera, I created a Security Group and added the users into it,
>> gave them same permissions as "Users" and added "Remote
>> Control" permission and they get a denied error when trying to
>> Remote Control any other users session... Any ideas?
>
> Ok, so I'm getting "Session (ID 6) Remote Control Failed Error 5
> - Access is Denied) from Terminal Services Manager when trying
> to control a session for a test user.
>
> On the "terminal server configuration" settings, I selected
> "Connections" and then Selected "RDP-TCP" and then right click
> and Properties, Permissions Tab, added the Security group I
> created for users, it's got User/Guest selected, and then I did
> Advanced (for special) and enabled Query, Remote Control, Logon,
> Message, Connect, all others are unchecked - none are set to
> deny.
>
> I've logged off as the two users - one the new Remote Control
> user and the other a test generic user to take control of.
>
> Logged back in a both, and get the access denied error.
>
> I also tried setting the Security Group to FULL ACCESS and still
> get access denied.
>
> Any other ideas?

No, sorry, I thought that this would work. Will have to do some
testing.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 
L

Leythos

In article <Xns9AE2DEC8F69F1veranoesthemutforsse@207.46.248.16>,
vera.noest@remove-this.hem.utfors.se says...
> > Ok, so I'm getting "Session (ID 6) Remote Control Failed Error 5
> > - Access is Denied) from Terminal Services Manager when trying
> > to control a session for a test user.
> >
> > On the "terminal server configuration" settings, I selected
> > "Connections" and then Selected "RDP-TCP" and then right click
> > and Properties, Permissions Tab, added the Security group I
> > created for users, it's got User/Guest selected, and then I did
> > Advanced (for special) and enabled Query, Remote Control, Logon,
> > Message, Connect, all others are unchecked - none are set to
> > deny.
> >
> > I've logged off as the two users - one the new Remote Control
> > user and the other a test generic user to take control of.
> >
> > Logged back in a both, and get the access denied error.
> >
> > I also tried setting the Security Group to FULL ACCESS and still
> > get access denied.
> >
> > Any other ideas?
>
> No, sorry, I thought that this would work. Will have to do some
> testing.

I'm getting the impression that the group must also me a member of some
other group on the terminal server for this to work - I've read reports
about people making the user a member of the LOCAL T/S administrators
group, but that's really bad, so that's out.

If you find something please let me know, thanks.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
 
L

Leythos

In article <1216678143_198903@news.usenet.com>, void@nowhere.lan says...
> > No, sorry, I thought that this would work. Will have to do some
> > testing.
>
> I'm getting the impression that the group must also me a member of some
> other group on the terminal server for this to work - I've read reports
> about people making the user a member of the LOCAL T/S administrators
> group, but that's really bad, so that's out.
>
> If you find something please let me know, thanks.

After waiting 30 minutes and trying again, it works. Must have been some
lag between creating two new test accounts and permissions and when it
replicated to the terminal server from the DC.

Thanks for the link to the article.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
 
V

Vera Noest [MVP]

Leythos <void@nowhere.lan> wrote on 22 jul 2008:

> In article <1216678143_198903@news.usenet.com>, void@nowhere.lan
> says...
>> > No, sorry, I thought that this would work. Will have to do
>> > some testing.
>>
>> I'm getting the impression that the group must also me a member
>> of some other group on the terminal server for this to work -
>> I've read reports about people making the user a member of the
>> LOCAL T/S administrators group, but that's really bad, so
>> that's out.
>>
>> If you find something please let me know, thanks.
>
> After waiting 30 minutes and trying again, it works. Must have
> been some lag between creating two new test accounts and
> permissions and when it replicated to the terminal server from
> the DC.
>
> Thanks for the link to the article.

OK, I'm glad that it works now.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*
 
You must log in or register to reply here.

Similar threads

L
Good content blocker/site blocker for Vista workstation?
2
Replies
23
Views
597
cooldeal
C
L
NVIDIA FX Go 5200 drivers
Replies
18
Views
255
Colin Barnhorst
C
L
Re: Help...Mystery Popup Virus??? (another try to send screen images) (1/3)
Replies
7
Views
521
jen
J
L
Move TS 2003 license service to another machine?
Replies
4
Views
270
Hank Arnold (MVP)
H
L
Re: Help...Mystery Popup Virus??? (another try to send screen images) (1/3)
Replies
7
Views
554
jen
J
Back
Top Bottom