Распространение настроек для DameWare через GPO. Для того, чтобы НЕ АДМИНЫ могли подключаться.
- Получить ссылку
- X
- Электронная почта
- Другие приложения
MANAGING DMRC ACCESS SETTINGS USING A GPO
INTRODUCTION
Access settings for DameWare Mini Remote Control are configured directly in the MRC Client Agent. They are stored locally in the client machine which could create a difficulty when trying to manage them on multiple computers. However, since these settings are stored in the Windows Registry, it is possible to configure a GPO to apply changes to these settings across a domain.
This document provides a guide on how to use the Group Policy Management Editor in order to manage these settings. It provides reference to the Registry Keys that are used to set the MRC Client Agent access settings and how to configure them without having to use the agents GUI.
1- ACCESS CONFIGURATION REGISTRY SUBKEYS
The following is a list of the registry subkeys stored by the Mini Remote Control associated to the Access configuration. All these subkeys are located under the key:
HKLM\Software\DameWare Development\Mini Remote Control Service\Settings
Table 1 - DMRC Access Control Subkeys
| Subkey Name | MRC Agent GUI location | Type | Description |
|---|---|---|---|
| Allow All Administrators to Have Control | Additional Settings | REG_DWORD |
Sets Full Control by default to any user that belongs to the local or domain “Administrators” group when the MRC session is starts.
Values:
0x00000001 – Enable
0x00000000 – Disable
|
| Allow Only Administrators To Connect | Access | REG_DWORD |
Allows MRC connections to the machine only for members of the Local Administrators group.
Values:
0x00000001 – Enable
0x00000000 – Disable
|
| Group [#] | Access | REG_SZ | Each Group subkey is designated a consecutive number starting with 0. Each one is a string value containing the name of a group, Local or Global that will be granted permission to start an MRC connection. |
| Must Be Member Of Group | Access | REG_DWORD |
Allows MRC connections to this machine only to members of one of the registered groups, Local or Global.
Values:
0x00000001 – Enable
0x00000000 – Disable
|
| Permission Required | Additional Settings | REG_DWORD |
Enabling this setting will prompt the currently logged on user to Allow or Deny every MRC connection attempt regardless of the rights used to connect.
Values:
0x00000001 – Enable
0x00000000 – Disable
|
Permission Required for non Admin
| Access | REG_DWORD |
Requires a Non-Administrator to be granted permission from the currently logged on user of the remote machine to connect. When this setting is disabled, a Non-Administrator can connect without receiving permission in “Non-Administrator Mode.”
Values:
0x00000001 – Enable
0x00000000 – Disable
|
Disconnect If At Logon Desktop
| Access | REG_DWORD |
Applies to Non-Administrators who attempt to connect to a remote machine that is currently at the Logon Desktop. If this setting is enabled, the Non-Administrator will not be allowed to establish the MRC connection
Values:
0x00000001 – Enable
0x00000000 – Disable
|
Permission Required for no Admin Force View Only
| Access | REG_DWORD |
Applies to Non-Administrators; This setting will restrict the MRC session to View Only Mode for the Non-Administrator.
Values:
0x00000001 – Enable
0x00000000 – Disable
|
Requires Logon Locally Privilege
| Access | REG_DWORD |
Allows MRC connections to the machine only for users who have sufficient rights to perform a local Logon to this machine.
Values:
0x00000001 – Enable
0x00000000 – Disable
|
2 – Configuring a GPO to manage MRC Access settings
It is not necessary to create a new GPO to manage these settings since they can be set in an existing GPO. The following instructions will describe the procedure in a new GPO, but the same steps would apply on an existing one.
To create the new GPO you can use the Group Policy Management tool. Once you create it and link it to the OUs of the computers you plan to manage. Open it using the Group Policy Management Editor. You can launch this tool from Group Policy Management by right-clicking on the GPO and selecting “Edit…”
In the editor, navigate to:
Computer Configuration | Preferences | Windows Settings | Registry
Create a collection for the settings by right clicking “Registry” and selecting New > Collection Item
You can give the collection the name you want. We suggest you use a name that will help you identify it such as “DameWare Access”. Inside this collection create the Registry Items for the setting you wish to manage. With the exception of Groups, you will only have to add the Registry items the first time you manage the configuration.
2.1 – Creating Registry Items for Access Settings
For each Access setting you would like to manage in the GPO, a Registry Item must be created. When you create it, the “New Registry Properties” window will be displayed. All settings apart from user groups use the same settings. The only thing that changes will be the value name. Here is how each field should be set:
Table 2 - Registry Item fields for MRC Access Control
| Field | Value |
|---|---|
| Action | Update |
| Hive | HKEY_LOCAL_MACHINE |
| Key Path | SOFTWARE\DameWare Development\Mini Remote Control Service\Settings |
| Value Name | Use the Subkey Name of the setting exactly as listed in Table 1. |
| Value Type | REG_DWORD |
| Value data | 00000001 to enable or 00000000 to disable |
| Base | Hexadecimal |
If you decide to manage all Access Settings, your collection will look something like this:
2.2 – Creating Registry Items to set permissions for non-admin Groups
Unlike other Registry Items, groups are defined as String Values. This string, “Group [#]”, will contain the name of the Local or Global Group that you wish to grant access to. It’s important to keep in mind that the “Must Be Member Of Group” subkey must be set to 00000001 in order for any non-admin Group members to be allowed to start an MRC connection. The following table describes what to input on each field when creating the item:
| Field | Value |
|---|---|
| Action | Create |
| Hive | HKEY_LOCAL_MACHINE |
| Key Path | SOFTWARE\DameWare Development\Mini Remote Control Service\Settings |
| Value Name | Group [#] where [#] is a consecutive number starting with 0 (ie: Group 0) |
| Value Type | REG_SZ |
| Value data | GroupName or DomainName\GroupName |
A Group [#] subkey must be created for each group that will be granted MRC connection permissions. Make sure each group you add follows a consecutive number: Group 0, Group 1, Group 2, etc. Once you set a Registry Key item for each group you would like to give permission, your collection will look something like this:
Make sure that each Group [#] item has a green triangle icon 
indicating the Registry Key will be created.
indicating the Registry Key will be created.
3- Managing DMRC Access settings on an existing GPO
Managing an existing Access configuration consist of modifying the Registry Items values in the GPO. To do this, right-click the item in the Group Policy Management Editor and select “Properties”. The items properties window will come up. To enable or disable the setting defined by each item, the only setting that needs to be modified is the “Value Data” field.
Click OK and once the GPO propagates over the domain, the settings will be applied to the MRC Client Agent in all the machines affected by the policy. DWRCS.EXE dynamically checks the Windows Registry for changes so it is not necessary to restart the services for the changes to take effect.
IMPORTANT: Settings configured using GPO will override any settings set manually in the local machine.
- Получить ссылку
- X
- Электронная почта
- Другие приложения
Комментарии
Отправить комментарий