Configure TS Automatically for Logged On User

  • Thread starter Thread starter Thomas M.
  • Start date Start date
T

Thomas M.

Guest
XP SP2

We are in the process of converting our users to standard user accounts. We
have a number of employees who use terminal services to remotely control
their machines. By default, administrators on the local machine have the
right to use terminal services, whereas non-administrators must be added to
the Remote Desktop Users list. This sets up a situation where people have
the ability to use terminal services by virtue of the fact that they are
members of the local administrators group. Once they are removed from local
administrators group, and if they have not been added to the Remote Desktop
Users list, they lose the ability to use terminal services. Of course, an
administrator must then login and add the user's account to the Remote
Desktop Users list so that he or she can continue to use terminal services
after being converted to a standard user account.

The obvious solution would be to add the user account to the Remote Desktop
Users list BEFORE taking away the user's admin rights. I would like to know
if there is some way to automate this work. Is there a script, or a
registry hack, that will add the currently logged in user to the Remote
Desktop Users list?

FYI: We run Active Directory and Novell eDirectory, so we have a number of
options for limiting the distribution of any such script or registry hack to
only those employees who are authorized to use terminal services. In other
words, we can control it so that it goes to only the employees we specify,
and not to everyone.

--Tom
 
Re: Configure TS Automatically for Logged On User

Thomas,
include the following
net localgroup /add "Remote Desktop Users" %username%
in the logon script (this will succeed if the current user is a member of
local Administrators - which, from what I understand, is what you are
looking for)

hth
Marcin
 
Re: Configure TS Automatically for Logged On User

Yep, that sounds like what I am looking for. I could create a security
group called something like TSUsers and then add an IF statement to run your
command if the user is a member of the TSUsers group. That should work.

Now I've come up with two other questions. First, is there a registry hack
or something that will cause the "Allow users to connect remotely to this
computer" box to be checked? That box is on the Remote tab of the system
properties.

Ideally, when we get a request to configure someone to use TS we would just
drop them into a domain group and then the login script, based on membership
in that group, would check the box and add the user to the Remote Desktop
Users group. That would allow us to do this with essentially no overhead.

Second, say that Betty logs on to Mike's computer and that the login script
configures Mike's computer so that Betty can use TS to control the machine.
After Betty logs off, does her user name remain a member of the Remote
Desktop Users group, meaning that she would retain the ability to remotely
control Mike's machine?

--Tom

"Marcin" <marcin@community.nospam> wrote in message
news:7028CF0A-13C6-4753-8EEC-C1E69B7327B6@microsoft.com...
> Thomas,
> include the following
> net localgroup /add "Remote Desktop Users" %username%
> in the logon script (this will succeed if the current user is a member of
> local Administrators - which, from what I understand, is what you are
> looking for)
>
> hth
> Marcin
>
 
Re: Configure TS Automatically for Logged On User

We have a solution called Virtual Access Suite, Desktop Services Edition
which allows publishing of desktops or individual applications from Managed
Virtual Desktops (on VMware or Virtual Iron), Standard XP Pro or Vista
Desktops or Blade PCs. With our solution the administrator assigns users to
desktops, or users get a desktop from a pool (and return it to a pool at
logoff) or users get a desktop from a pool and retain it permanently. Our
solution removes the users name from the Remote Desktop Users Group at
logoff, so users can not connect via remote desktop w/o connecting via our
Connection Broker.

Users can connect via Web Browser w/ SSL Gateway, CE Client, Linux Client or
Win32 non-web client.

With this an administrator can offer a managed desktop/application solution
for internal and external users (VDI) and stop paying a recurring fee for
services such as GoToMyPC.



--
Patrick C. Rouse
Microsoft MVP - Terminal Server
SE, West Coast USA & Canada
Quest Software, Provision Networks Division
Virtual Client Solutions
http://www.provisionnetworks.com


"Thomas M." wrote:

> Yep, that sounds like what I am looking for. I could create a security
> group called something like TSUsers and then add an IF statement to run your
> command if the user is a member of the TSUsers group. That should work.
>
> Now I've come up with two other questions. First, is there a registry hack
> or something that will cause the "Allow users to connect remotely to this
> computer" box to be checked? That box is on the Remote tab of the system
> properties.
>
> Ideally, when we get a request to configure someone to use TS we would just
> drop them into a domain group and then the login script, based on membership
> in that group, would check the box and add the user to the Remote Desktop
> Users group. That would allow us to do this with essentially no overhead.
>
> Second, say that Betty logs on to Mike's computer and that the login script
> configures Mike's computer so that Betty can use TS to control the machine.
> After Betty logs off, does her user name remain a member of the Remote
> Desktop Users group, meaning that she would retain the ability to remotely
> control Mike's machine?
>
> --Tom
>
> "Marcin" <marcin@community.nospam> wrote in message
> news:7028CF0A-13C6-4753-8EEC-C1E69B7327B6@microsoft.com...
> > Thomas,
> > include the following
> > net localgroup /add "Remote Desktop Users" %username%
> > in the logon script (this will succeed if the current user is a member of
> > local Administrators - which, from what I understand, is what you are
> > looking for)
> >
> > hth
> > Marcin
> >
>
>
>
 
Re: Configure TS Automatically for Logged On User

I'll have to look into that.

I think that we are doing something similar via Citrix, but I don't deal
with that end of things so I'm not completely sure how it works. I plan to
meet with our Citrix people to get more info. One problem that we've run
into is that some people want to be setup without going through Citrix so
that they can still reach their desktops in the event that the Citrix
servers are having problems. Those are the people who are giving us
headaches because right now we just set them up manually (there aren't very
many). I'd like to get to the point where we don't need to visit the
machine, but we're struggling with how to do that in a way that doesn't
leave the employee with the ability to remotely access any machine that
they've logged in to previously.

--Tom

"Patrick Rouse" <PatrickRouse@discussions.microsoft.com> wrote in message
news:A7CD129F-6DA3-4A7D-81A4-6A846AA58781@microsoft.com...
> We have a solution called Virtual Access Suite, Desktop Services Edition
> which allows publishing of desktops or individual applications from
> Managed
> Virtual Desktops (on VMware or Virtual Iron), Standard XP Pro or Vista
> Desktops or Blade PCs. With our solution the administrator assigns users
> to
> desktops, or users get a desktop from a pool (and return it to a pool at
> logoff) or users get a desktop from a pool and retain it permanently. Our
> solution removes the users name from the Remote Desktop Users Group at
> logoff, so users can not connect via remote desktop w/o connecting via our
> Connection Broker.
>
> Users can connect via Web Browser w/ SSL Gateway, CE Client, Linux Client
> or
> Win32 non-web client.
>
> With this an administrator can offer a managed desktop/application
> solution
> for internal and external users (VDI) and stop paying a recurring fee for
> services such as GoToMyPC.
>
>
>
> --
> Patrick C. Rouse
> Microsoft MVP - Terminal Server
> SE, West Coast USA & Canada
> Quest Software, Provision Networks Division
> Virtual Client Solutions
> http://www.provisionnetworks.com
>
>
> "Thomas M." wrote:
>
>> Yep, that sounds like what I am looking for. I could create a security
>> group called something like TSUsers and then add an IF statement to run
>> your
>> command if the user is a member of the TSUsers group. That should work.
>>
>> Now I've come up with two other questions. First, is there a registry
>> hack
>> or something that will cause the "Allow users to connect remotely to this
>> computer" box to be checked? That box is on the Remote tab of the system
>> properties.
>>
>> Ideally, when we get a request to configure someone to use TS we would
>> just
>> drop them into a domain group and then the login script, based on
>> membership
>> in that group, would check the box and add the user to the Remote Desktop
>> Users group. That would allow us to do this with essentially no
>> overhead.
>>
>> Second, say that Betty logs on to Mike's computer and that the login
>> script
>> configures Mike's computer so that Betty can use TS to control the
>> machine.
>> After Betty logs off, does her user name remain a member of the Remote
>> Desktop Users group, meaning that she would retain the ability to
>> remotely
>> control Mike's machine?
>>
>> --Tom
>>
>> "Marcin" <marcin@community.nospam> wrote in message
>> news:7028CF0A-13C6-4753-8EEC-C1E69B7327B6@microsoft.com...
>> > Thomas,
>> > include the following
>> > net localgroup /add "Remote Desktop Users" %username%
>> > in the logon script (this will succeed if the current user is a member
>> > of
>> > local Administrators - which, from what I understand, is what you are
>> > looking for)
>> >
>> > hth
>> > Marcin
>> >
>>
>>
>>
 
Back
Top