Configuration Manager Remote Desktop Tools

Hi all, today I’ll share with you ConfigMgr 2012 behind the scene setting that may affect your whole infrastructure and productivity. It’s Remote Control settings in SCCM Client Settings:

We all know that by default, the Administrators and Remote Desktop Users groups have the right to log on remotely through Remote Desktop Protocol. (for Domain Controllers it is Administrators only) ….but Configuration Manager 2012 has another opinion when you give it the controller stick 🙂

To permit users to remotely control machines, by using Remote Desktop or Remote Control tool, we do the following steps:

  1. From SCCM Console go to Administration Tab and click Client Settings from the left side list:
Administration Tab
SCCM Console Administration Tab

2. Open the Default Client Settings or the custom client settings (If you created one for Remote Settings) and click Remote Tools from the left side list:

Clicking Remote Tools
Default Client Settings

3. On Permitted viewers of Remote Control and Remote Assistance click on Set Viewers … :

Set Permitted Viewers
Set Permitted Viewers

4. It will open a list that you can add to it Domain Users or Groups as a Permitted Viewers (Recommend to add dedicated group for Users that needs Remote Access Permissions):

Permitted Viewers Window
Permitted Viewers Window

NOW, What happens when you add Accounts into this list (Permitted Viewers) ?

To answer this question, let’s see what ConfigMgr is doing when you enable Remote Control on Clients:

Configuration Manager creates a group called “ConfigMgr Remote Control Users” in local groups on every Machine, and it give this group the local security policy user wright: “Allow Log on Through Remote Desktop Services“. So when you add any accounts to the Permitted Viewers List, ConfigMgr Client will add them to this group. If you want for example to give Domain Admins the permission to use Remote Control to Share Users Desktop in a shared session, put the Domain Admins group in the Permitted Viewers List. Microsoft Doesn’t recommend adding users to this group (ConfigMgr Remote Control Users) directly, instead add them to the Permitted Viewers List.

Thanks for reading

Hossam

Advertisements